Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2963751imm; Sun, 1 Jul 2018 09:15:55 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJjbR1C6jmDRKcVgVnSB3yKwq0MrL9Sabn4ZQRpKvG0ooEijP9iXOEFijtxLo22C2zwdhCG X-Received: by 2002:a65:56cd:: with SMTP id w13-v6mr19265839pgs.227.1530461755090; Sun, 01 Jul 2018 09:15:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530461755; cv=none; d=google.com; s=arc-20160816; b=DI6fUVmFyaDTZ/pC49JR4VgujKgRil2ohp+o6DDDjdF4E1fISeBSXzflq4YetD889I GqEZohGK2lbD3+eR+bBl3Gfy3Zqxg5oq2F7N4H3CocJ3z/pYi6cSVsoIgQnfBaEyR0mh 2/TtQfpVy/By0r/RRToFObeIzmfPNTybzWAV1GauVllyaBQmsBeQvqMGOCNFxjxTvJCI WOFTzkhgNMvGN8SNzA2aFtKTkTRzQtzBQA5PTqGASF9IvZWyqWds7A0ps+8aGqhyu2rR 9KDFoCwrt/7NG6j2CjWObFTvoKnp3MPc/XfRajG5rFeMOOtDertOhg+98pf6iE07UF5U P78g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=/2dGCumlOi6ZQT+VO2fqqenCRuLfQCjcw/Mc7nBRW1M=; b=QcK/CIj+fGIfivujne5DblhR+dMtQHNYvSDaSetbIiZUJlB8FAzUfc3FTFCOPydruc Ad6o4pz1ugmB9k/BpUCdxSD+n0jYUTDbV6mI2cc1JRvTRiPLbAr+g/28RVzLaA8+ynFn QT2VOuBs6C/424yIJdfQ8cJWs4WHvrzZnM/b7ZzAewnJ6QT6kPR0inJbO9U0fV5IlZ6t nXakar3tWc9mjpDhx1IT4Fg3ZhoMwYY6Aq9cGqiqy2LvSuk5VTDWUuY5fSqGOZA1UxGd j2tBrFrRG1x3jgP52y7X+q4zYF4Dw36ZHeTqPJY4iaB1mAAbqDyD4PyjJyhiXnP6YNG/ J8mA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y74-v6si11799970pfk.75.2018.07.01.09.15.40; Sun, 01 Jul 2018 09:15:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753172AbeGAQOm (ORCPT + 99 others); Sun, 1 Jul 2018 12:14:42 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:60384 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753161AbeGAQOi (ORCPT ); Sun, 1 Jul 2018 12:14:38 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id ED87A86A; Sun, 1 Jul 2018 16:14:37 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Anatoly Trosinenko , Jan Kara Subject: [PATCH 3.18 83/85] udf: Detect incorrect directory size Date: Sun, 1 Jul 2018 18:02:41 +0200 Message-Id: <20180701153125.664588215@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701153122.365061142@linuxfoundation.org> References: <20180701153122.365061142@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jan Kara commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream. Detect when a directory entry is (possibly partially) beyond directory size and return EIO in that case since it means the filesystem is corrupted. Otherwise directory operations can further corrupt the directory and possibly also oops the kernel. CC: Anatoly Trosinenko CC: stable@vger.kernel.org Reported-and-tested-by: Anatoly Trosinenko Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/udf/directory.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/udf/directory.c +++ b/fs/udf/directory.c @@ -151,6 +151,9 @@ struct fileIdentDesc *udf_fileident_read sizeof(struct fileIdentDesc)); } } + /* Got last entry outside of dir size - fs is corrupted! */ + if (*nf_pos > dir->i_size) + return NULL; return fi; }