From: Stian Skjelstad Date: Sun, 22 Aug 2021 09:33:32 +0000 (+0200) Subject: udf_get_extendedattr() had no boundary checks. X-Git-Tag: accepted/tizen/unified/20230118.172025~6587^2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb;p=platform%2Fkernel%2Flinux-rpi.git udf_get_extendedattr() had no boundary checks. When parsing the ExtendedAttr data, malicous or corrupt attribute length could cause kernel hangs and buffer overruns in some special cases. Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com Signed-off-by: Stian Skjelstad Signed-off-by: Jan Kara --- diff --git a/fs/udf/misc.c b/fs/udf/misc.c index eab9452..1614d30 100644 --- a/fs/udf/misc.c +++ b/fs/udf/misc.c @@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type, else offset = le32_to_cpu(eahd->appAttrLocation); - while (offset < iinfo->i_lenEAttr) { + while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) { + uint32_t attrLength; + gaf = (struct genericFormat *)&ea[offset]; + attrLength = le32_to_cpu(gaf->attrLength); + + /* Detect undersized elements and buffer overflows */ + if ((attrLength < sizeof(*gaf)) || + (attrLength > (iinfo->i_lenEAttr - offset))) + break; + if (le32_to_cpu(gaf->attrType) == type && gaf->attrSubtype == subtype) return gaf; else - offset += le32_to_cpu(gaf->attrLength); + offset += attrLength; } }