Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5906264ybi; Wed, 31 Jul 2019 05:15:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqxBhjzjqafE04osua95F8HAxR3zloD7zmctx4kXsD3Pt15DiyU2IkekfZvEJVq5b7FzJvNL X-Received: by 2002:a65:514c:: with SMTP id g12mr113938893pgq.76.1564575316519; Wed, 31 Jul 2019 05:15:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564575316; cv=none; d=google.com; s=arc-20160816; b=m5xZzbGgNPMv9JYJjUhNNWMuAr3ememTtf9PZO4jPR5nhTmERT/HDwZPLQTn4Ff9zz WbN6xIgDC8WcBJLEUpflFNYbKWaVC5x1fvoukOqn0YWsqIACw6xYK51LJTOOhrMYiMrN 3Bbr1BsE/hKg2E3UHutXhnRzK9UqcHV2rZ8rct6H5R477OSjdWLCEfy7ng/UIhUYOQ1S BDBNR14P0iRT8uJ2oX2F4b6b9JDQ8W5sUtQTV0kt8lFrEwuXkpte96ctZ/9R+fvssc9I RopgGGIyT5z3QfeLEpywkD1qe/wIRwipv7nmhBw6DMof1K2LleXPKA8snvEd81xVqs2H 9GJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=jB819ONUoAvV541dj29nyCshAkvinN7EcLLEwpscRBE=; b=hKBpn0BL2QUmQ+PYhLCObk+vGWUnf/rT5slYWsjzhKiftW6AowvaN1RVrGIBuO1K9R aNtT46+7My1UsVVz8Xh2gTnfYdjSBfkqB35TlfcQikTGzc0D2d8/ILIXkmLWFXDUGClx Prbp8+044+sN5AnxPfmhvSlfYTGbkeKkdnxafzZQgTqGuYlyfi7EOAa4PwlcaVNh4c/q ZsXDdaV5dsSIc4SdhEgkOdhd/+oKnNd8auesT0Wf4/QVyfz9FUPUQqxgNpJT/B7xrvUB seRfhfRqPee3pAuri1JSDBRZQymrEIicgUNP9I5ADmVpcLwjsPMYnC0qVXu/HRF8dHWF Vynw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b22si1513248pjb.82.2019.07.31.05.15.00; Wed, 31 Jul 2019 05:15:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729021AbfGaJ7F (ORCPT + 99 others); Wed, 31 Jul 2019 05:59:05 -0400 Received: from mx2.suse.de ([195.135.220.15]:54150 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725793AbfGaJ7F (ORCPT ); Wed, 31 Jul 2019 05:59:05 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id C7150AE15; Wed, 31 Jul 2019 09:59:03 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id 4DD871E43D6; Wed, 31 Jul 2019 11:59:01 +0200 (CEST) Date: Wed, 31 Jul 2019 11:59:01 +0200 From: Jan Kara To: Steve Magnani Cc: Jan Kara , Steve Magnani , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] udf: prevent allocation beyond UDF partition Message-ID: <20190731095901.GC15806@quack2.suse.cz> References: <1564341552-129750-1-git-send-email-steve@digidescorp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1564341552-129750-1-git-send-email-steve@digidescorp.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun 28-07-19 14:19:12, Steve Magnani wrote: > The UDF bitmap allocation code assumes that a recorded > Unallocated Space Bitmap is compliant with ECMA-167 4/13, > which requires that pad bytes between the end of the bitmap > and the end of a logical block are all zero. > > When a recorded bitmap does not comply with this requirement, > for example one padded with FF to the block boundary instead > of 00, the allocator may "allocate" blocks that are outside > the UDF partition extent. This can result in UDF volume descriptors > being overwritten by file data or by partition-level descriptors, > and in extreme cases, even in scribbling on a subsequent disk partition. > > Add a check that the block selected by the allocator actually > resides within the UDF partition extent. > > Signed-off-by: Steven J. Magnani Thanks for the patch! Added to my tree. I've just slightly modified the patch to also output error message about filesystem corruption. Honza > > --- a/fs/udf/balloc.c 2019-07-26 11:35:28.249563705 -0500 > +++ b/fs/udf/balloc.c 2019-07-28 13:11:25.061431597 -0500 > @@ -325,6 +325,13 @@ got_block: > newblock = bit + (block_group << (sb->s_blocksize_bits + 3)) - > (sizeof(struct spaceBitmapDesc) << 3); > > + if (newblock >= sbi->s_partmaps[partition].s_partition_len) { > + /* Ran off the end of the bitmap, > + * and bits following are non-compliant (not all zero) > + */ > + goto error_return; > + } > + > if (!udf_clear_bit(bit, bh->b_data)) { > udf_debug("bit already cleared for block %d\n", bit); > goto repeat; > -- Jan Kara SUSE Labs, CR