Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3053596imm; Sun, 1 Jul 2018 11:09:18 -0700 (PDT) X-Google-Smtp-Source: AAOMgpchuHNFr7RMT/BNqOVQphxwlxU3uHilA6IvdWTh9ZjyG4lEVnkc38eHEpjoY0f4/30BiZa9 X-Received: by 2002:a62:d544:: with SMTP id d65-v6mr1911039pfg.107.1530468558654; Sun, 01 Jul 2018 11:09:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530468558; cv=none; d=google.com; s=arc-20160816; b=lbjXfqtsHEjpLw8ELpSHCufnFfAO8GB8QtNv7AsksoWRlgfM575V+31VXxWqAIzjpV /msD9u27+7JOoGTwps6jZczN6r/mAN/fJ45hkT0TgLCaSt8wBLJI2CellsVdCdJjaP5y JTavb/Gnvdzmc/64DDb4gqTYZ5hYge5t8bEWxJnuk5pVBAEEY77bqZl/rL9nip3cxTF2 AsIP35VEhcP/9uOxtpqCHGV9YppgrNcSh0faSVBGe3N3MFpBzlRdyJcD86Oz8ABXkA5P Pkmpzgi4qC00AoJh+7wZSNCUaaOUVyH90qpGQNddGnyzQKd9uUG5lH7pQwZR2pcZrVI3 Lw0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=9IZUKZ57Uhr8Nf0j90bwRcvGPblDIGwxNDexecZ8Itk=; b=piWeGCwe7VZDWrRNdajVZAympefLEWNhWHXlKK+WIlsOHUN/gISK6qYjjv/RuCEALG FD2rt2WfWpooXNXpdhPZUOWGgHMRJZBB/TpS9G6hwt/nS7mQXFhN0MArHrEV/j1Td9nV EnYuaB2iznafw289AALeGyhVAD4BNZKDdQya3VVzLaHYSKxBBECKlinlXNMCMGYhp/Wz KSU+Q1w961E+fnCNnEI+56L0TqDABDMiP5shtArKg+D/TL3Hu58mnd9h0S3pIzjg8Jac snSo7mRT51hYCilMibpll1Hj00jo7jGajPIjw8V5N9/gf6Z1Nk0GYEynOmq4Us7uxEs/ /Npg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g38-v6si7140140plb.262.2018.07.01.11.09.04; Sun, 01 Jul 2018 11:09:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965690AbeGAQ2h (ORCPT + 99 others); Sun, 1 Jul 2018 12:28:37 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:34322 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965455AbeGAQ21 (ORCPT ); Sun, 1 Jul 2018 12:28:27 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 05F53AD8; Sun, 1 Jul 2018 16:28:26 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Anatoly Trosinenko , Jan Kara Subject: [PATCH 4.9 093/101] udf: Detect incorrect directory size Date: Sun, 1 Jul 2018 18:22:19 +0200 Message-Id: <20180701160800.878664248@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701160757.138608453@linuxfoundation.org> References: <20180701160757.138608453@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jan Kara commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream. Detect when a directory entry is (possibly partially) beyond directory size and return EIO in that case since it means the filesystem is corrupted. Otherwise directory operations can further corrupt the directory and possibly also oops the kernel. CC: Anatoly Trosinenko CC: stable@vger.kernel.org Reported-and-tested-by: Anatoly Trosinenko Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/udf/directory.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/udf/directory.c +++ b/fs/udf/directory.c @@ -150,6 +150,9 @@ struct fileIdentDesc *udf_fileident_read sizeof(struct fileIdentDesc)); } } + /* Got last entry outside of dir size - fs is corrupted! */ + if (*nf_pos > dir->i_size) + return NULL; return fi; }