[PATCH OLK-6.6] udf: Avoid excessive partition lengths - Kernel

23 Sep 2024

From: Jan Kara jack@suse.cz
stable inclusion
from stable-v6.6.51
commit a56330761950cb83de1dfb348479f20c56c95f90
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX38
CVE: CVE-2024-46777
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]
Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.
Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
Signed-off-by: Jan Kara jack@suse.cz
Signed-off-by: Sasha Levin sashal@kernel.org
Conflicts:
    fs/udf/super.c
[Ma Wupeng: fix compile warning]
Signed-off-by: Ma Wupeng mawupeng1@huawei.com
---
 fs/udf/super.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/fs/udf/super.c b/fs/udf/super.c
index e0080fda2526b..a795f18db890b 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1080,12 +1080,19 @@ static int udf_fill_partdesc_info(struct super_block *sb,
    struct udf_part_map *map;
    struct udf_sb_info *sbi = UDF_SB(sb);
    struct partitionHeaderDesc *phd;
+	u32 sum;
    int err;
map = &sbi->s_partmaps[p_index];
map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
    map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
+	if (check_add_overflow(map->s_partition_root, map->s_partition_len,
+			       &sum)) {
+		udf_err(sb, "Partition %d has invalid location %u + %u\n",
+			p_index, map->s_partition_root, map->s_partition_len);
+		return -EFSCORRUPTED;
+	}
if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
    	map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
@@ -1141,6 +1148,14 @@ static int udf_fill_partdesc_info(struct super_block *sb,
    	bitmap->s_extPosition = le32_to_cpu(
    			phd->unallocSpaceBitmap.extPosition);
    	map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;
+		/* Check whether math over bitmap won't overflow. */
+		if (check_add_overflow(map->s_partition_len,
+				       (__u32)(sizeof(struct spaceBitmapDesc) << 3),
+				       &sum)) {
+			udf_err(sb, "Partition %d is too long (%u)\n", p_index,
+				map->s_partition_len);
+			return -EFSCORRUPTED;
+		}
    	udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
    		  p_index, bitmap->s_extPosition);
    }
-- 
2.25.1


    