From: Gianfranco Trad gianf.trad@gmail.com
stable inclusion from stable-v5.15.170 commit 4fc0d8660e391dcd8dde23c44d702be1f6846c61 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2SWN CVE: CVE-2024-50143
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ]
Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2].
[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com Suggested-by: Jan Kara jack@suse.com Signed-off-by: Gianfranco Trad gianf.trad@gmail.com Signed-off-by: Jan Kara jack@suse.cz Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: fs/udf/inode.c [The stable version 5.10 is missing patch 4fc0d8660e391dcd8dde23c44d702be1f6846c61, which was pulled from 5.15. The current version of check_add_overflow() lacks the relevant commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 ("overflow: Allow mixed type arguments"). Therefore, it is necessary to cast the arguments to int.] Signed-off-by: Zicheng Qu quzicheng@huawei.com --- fs/udf/inode.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 3ae9955c42b0..1198d27552b5 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2182,12 +2182,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, alen = udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc; } else { + struct allocExtDesc *header = + (struct allocExtDesc *)epos->bh->b_data; + if (!epos->offset) epos->offset = sizeof(struct allocExtDesc); ptr = epos->bh->b_data + epos->offset; - alen = sizeof(struct allocExtDesc) + - le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> - lengthAllocDescs); + if (check_add_overflow((int)sizeof(struct allocExtDesc), + (int)le32_to_cpu(header->lengthAllocDescs), &alen)) + return -1; }
switch (iinfo->i_alloc_type) {