[PATCH openEuler-1.0-LTS 0/2] fix CVE-2024-46777 for 4.19
From: Ma Wupeng <mawupeng1@huawei.com> fix cve for CVE-2024-46777. Jan Kara (2): udf: Define EFSCORRUPTED error code udf: Avoid excessive partition lengths fs/udf/super.c | 15 +++++++++++++++ fs/udf/udf_sb.h | 2 ++ 2 files changed, 17 insertions(+) -- 2.25.1
From: Jan Kara <jack@suse.cz> stable inclusion from stable-v4.19.276 commit 5c034e88aba86508911126e34322dfbc79a2a27f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX38 CVE: CVE-2024-46777 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 ] Similarly to other filesystems define EFSCORRUPTED error code for reporting internal filesystem corruption. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Ma Wupeng <mawupeng1@huawei.com> --- fs/udf/udf_sb.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h index d12e507e9eb2..aa58173b468f 100644 --- a/fs/udf/udf_sb.h +++ b/fs/udf/udf_sb.h @@ -57,6 +57,8 @@ #define MF_DUPLICATE_MD 0x01 #define MF_MIRROR_FE_LOADED 0x02 +#define EFSCORRUPTED EUCLEAN + struct udf_meta_data { __u32 s_meta_file_loc; __u32 s_mirror_file_loc; -- 2.25.1
From: Jan Kara <jack@suse.cz> stable inclusion from stable-v4.19.322 commit c0c23130d38e8bc28e9ef581443de9b1fc749966 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX38 CVE: CVE-2024-46777 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ] Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap. Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: fs/udf/super.c [Ma Wupeng: fix compile warning] Signed-off-by: Ma Wupeng <mawupeng1@huawei.com> --- fs/udf/super.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/fs/udf/super.c b/fs/udf/super.c index 7af011dc9ae8..699cda7f89f9 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -1044,12 +1044,19 @@ static int udf_fill_partdesc_info(struct super_block *sb, struct udf_part_map *map; struct udf_sb_info *sbi = UDF_SB(sb); struct partitionHeaderDesc *phd; + u32 sum; int err; map = &sbi->s_partmaps[p_index]; map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */ map->s_partition_root = le32_to_cpu(p->partitionStartingLocation); + if (check_add_overflow(map->s_partition_root, map->s_partition_len, + &sum)) { + udf_err(sb, "Partition %d has invalid location %u + %u\n", + p_index, map->s_partition_root, map->s_partition_len); + return -EFSCORRUPTED; + } if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY)) map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY; @@ -1105,6 +1112,14 @@ static int udf_fill_partdesc_info(struct super_block *sb, bitmap->s_extPosition = le32_to_cpu( phd->unallocSpaceBitmap.extPosition); map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP; + /* Check whether math over bitmap won't overflow. */ + if (check_add_overflow(map->s_partition_len, + (__u32)(sizeof(struct spaceBitmapDesc) << 3), + &sum)) { + udf_err(sb, "Partition %d is too long (%u)\n", p_index, + map->s_partition_len); + return -EFSCORRUPTED; + } udf_debug("unallocSpaceBitmap (part %d) @ %u\n", p_index, bitmap->s_extPosition); } -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/11854 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/K... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/11854 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/K...
participants (2)
-
patchwork bot -
Wupeng Ma