[PATCH OLK-5.10] udf: Avoid using corrupted block bitmap buffer - Kernel

21 Aug 2024

From: Jan Kara jack@suse.cz
stable inclusion
from stable-v5.10.224
commit 2199e157a465aaf98294d3932797ecd7fce942d5
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPZN
CVE: CVE-2024-42306
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit a90d4471146de21745980cba51ce88e7926bcc4f upstream.
When the filesystem block bitmap is corrupted, we detect the corruption
while loading the bitmap and fail the allocation with error. However the
next allocation from the same bitmap will notice the bitmap buffer is
already loaded and tries to allocate from the bitmap with mixed results
(depending on the exact nature of the bitmap corruption). Fix the
problem by using BH_verified bit to indicate whether the bitmap is valid
or not.
Reported-by: syzbot+5f682cd029581f9edfd1@syzkaller.appspotmail.com
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/20240617154201.29512-2-jack@suse.cz
Fixes: 1e0d4adf17e7 ("udf: Check consistency of Space Bitmap Descriptor")
Signed-off-by: Jan Kara jack@suse.cz
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Ye Bin yebin10@huawei.com
---
 fs/udf/balloc.c | 15 +++++++++++++--
 fs/udf/super.c  |  3 ++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index f416b7fe092f..c4c18eeacb60 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -68,8 +68,12 @@ static int read_block_bitmap(struct super_block *sb,
    }
for (i = 0; i < count; i++)
-		if (udf_test_bit(i + off, bh->b_data))
+		if (udf_test_bit(i + off, bh->b_data)) {
+			bitmap->s_block_bitmap[bitmap_nr] =
+							ERR_PTR(-EFSCORRUPTED);
+			brelse(bh);
    		return -EFSCORRUPTED;
+		}
    return 0;
 }
@@ -85,8 +89,15 @@ static int __load_block_bitmap(struct super_block *sb,
    		  block_group, nr_groups);
    }
-	if (bitmap->s_block_bitmap[block_group])
+	if (bitmap->s_block_bitmap[block_group]) {
+		/*
+		 * The bitmap failed verification in the past. No point in
+		 * trying again.
+		 */
+		if (IS_ERR(bitmap->s_block_bitmap[block_group]))
+			return PTR_ERR(bitmap->s_block_bitmap[block_group]);
    	return block_group;
+	}
retval = read_block_bitmap(sb, bitmap, block_group, block_group);
    if (retval < 0)
diff --git a/fs/udf/super.c b/fs/udf/super.c
index 4af9ce34ee80..1939678f0b62 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -266,7 +266,8 @@ static void udf_sb_free_bitmap(struct udf_bitmap *bitmap)
    int nr_groups = bitmap->s_nr_groups;
for (i = 0; i < nr_groups; i++)
-		brelse(bitmap->s_block_bitmap[i]);
+		if (!IS_ERR_OR_NULL(bitmap->s_block_bitmap[i]))
+			brelse(bitmap->s_block_bitmap[i]);
kvfree(bitmap);
 }
-- 
2.31.1


    