From: Ma Wupeng mawupeng1@huawei.com
fix CVE-2024-46777 for 4.19.
Jan Kara (2): udf: Define EFSCORRUPTED error code udf: Avoid excessive partition lengths
fs/udf/super.c | 15 +++++++++++++++ fs/udf/udf_sb.h | 2 ++ 2 files changed, 17 insertions(+)
From: Jan Kara jack@suse.cz
stable inclusion from stable-v4.19.276 commit 5c034e88aba86508911126e34322dfbc79a2a27f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX38
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 ]
Similarly to other filesystems define EFSCORRUPTED error code for reporting internal filesystem corruption.
Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Ma Wupeng mawupeng1@huawei.com --- fs/udf/udf_sb.h | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h index d12e507e9eb2..aa58173b468f 100644 --- a/fs/udf/udf_sb.h +++ b/fs/udf/udf_sb.h @@ -57,6 +57,8 @@ #define MF_DUPLICATE_MD 0x01 #define MF_MIRROR_FE_LOADED 0x02
+#define EFSCORRUPTED EUCLEAN + struct udf_meta_data { __u32 s_meta_file_loc; __u32 s_mirror_file_loc;
From: Jan Kara jack@suse.cz
stable inclusion from stable-v4.19.322 commit c0c23130d38e8bc28e9ef581443de9b1fc749966 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX38 CVE: CVE-2024-46777
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]
Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.
Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: fs/udf/super.c [Ma Wupeng: fix compile warning] Signed-off-by: Ma Wupeng mawupeng1@huawei.com --- fs/udf/super.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/fs/udf/super.c b/fs/udf/super.c index 7af011dc9ae8..699cda7f89f9 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -1044,12 +1044,19 @@ static int udf_fill_partdesc_info(struct super_block *sb, struct udf_part_map *map; struct udf_sb_info *sbi = UDF_SB(sb); struct partitionHeaderDesc *phd; + u32 sum; int err;
map = &sbi->s_partmaps[p_index];
map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */ map->s_partition_root = le32_to_cpu(p->partitionStartingLocation); + if (check_add_overflow(map->s_partition_root, map->s_partition_len, + &sum)) { + udf_err(sb, "Partition %d has invalid location %u + %u\n", + p_index, map->s_partition_root, map->s_partition_len); + return -EFSCORRUPTED; + }
if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY)) map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY; @@ -1105,6 +1112,14 @@ static int udf_fill_partdesc_info(struct super_block *sb, bitmap->s_extPosition = le32_to_cpu( phd->unallocSpaceBitmap.extPosition); map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP; + /* Check whether math over bitmap won't overflow. */ + if (check_add_overflow(map->s_partition_len, + (__u32)(sizeof(struct spaceBitmapDesc) << 3), + &sum)) { + udf_err(sb, "Partition %d is too long (%u)\n", p_index, + map->s_partition_len); + return -EFSCORRUPTED; + } udf_debug("unallocSpaceBitmap (part %d) @ %u\n", p_index, bitmap->s_extPosition); }
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/11720 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/11720 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7...