[PATCH OLK-5.10 V1] udf: fix uninit-value use in udf_get_fileshortad - Kernel

22 Nov 2024

From: Gianfranco Trad gianf.trad@gmail.com
stable inclusion
from stable-v5.15.170
commit 4fc0d8660e391dcd8dde23c44d702be1f6846c61
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2SWN
CVE: CVE-2024-50143
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ]
Check for overflow when computing alen in udf_current_aext to mitigate
later uninit-value use in udf_get_fileshortad KMSAN bug[1].
After applying the patch reproducer did not trigger any issue[2].
[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
Suggested-by: Jan Kara jack@suse.com
Signed-off-by: Gianfranco Trad gianf.trad@gmail.com
Signed-off-by: Jan Kara jack@suse.cz
Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com
Signed-off-by: Sasha Levin sashal@kernel.org
Conflicts:
    	fs/udf/inode.c
[The stable version 5.10 is missing patch
4fc0d8660e391dcd8dde23c44d702be1f6846c61, which was pulled from 5.15.
The current version of check_add_overflow() lacks the relevant commit
d219d2a9a92e39aa92799efe8f2aa21259b6dd82 ("overflow: Allow mixed type
arguments"). Therefore, it is necessary to cast the arguments to int.]
Signed-off-by: Zicheng Qu quzicheng@huawei.com
---
 fs/udf/inode.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index a8105eded07e..6ff9cc8adb26 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2184,12 +2184,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
    	alen = udf_file_entry_alloc_offset(inode) +
    						iinfo->i_lenAlloc;
    } else {
+		struct allocExtDesc *header =
+			(struct allocExtDesc *)epos->bh->b_data;
+
    	if (!epos->offset)
    		epos->offset = sizeof(struct allocExtDesc);
    	ptr = epos->bh->b_data + epos->offset;
-		alen = sizeof(struct allocExtDesc) +
-			le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)->
-							lengthAllocDescs);
+		if (check_add_overflow((int)sizeof(struct allocExtDesc),
+				(int)le32_to_cpu(header->lengthAllocDescs), &alen))
+			return -1;
    }
switch (iinfo->i_alloc_type) {
-- 
2.34.1


    