Commit 0dd50252 authored Feb 23, 2022 by Jan Kara Committed by Zheng Zengkai Feb 23, 2022

udf: Restore i_lenAlloc when inode expansion fails

mainline inclusion
from mainline-v5.17-rc2
commit ea856919
category: bugfix
bugzilla: 186269 https://gitee.com/openeuler/kernel/issues/I4UATL?from=project-issue


CVE: CVE-2022-0617

--------------------------------

When we fail to expand inode from inline format to a normal format, we
restore inode to contain the original inline formatting but we forgot to
set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then
causing further problems such as warnings and lost data down the line.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
CC: stable@vger.kernel.org
Fixes: 7e49b6f2 ("udf: Convert UDF to new truncate calling sequence")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 7f2ba6e5

fs/udf/inode.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -314,6 +314,7 @@ int udf_expand_file_adinicb(struct inode *inode)
		unlock_page(page);
		iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
		inode->i_data.a_ops = &udf_adinicb_aops;
		iinfo->i_lenAlloc = inode->i_size;
		up_write(&iinfo->i_data_sem);
		}
		put_page(page);