udf: Fix crash after seekdir
stable inclusion form stable-v5.10.82 commit 5875f87e2fc9930463e56cbd25ca2c961ef31b45 bugzilla: 185877 https://gitee.com/openeuler/kernel/issues/I4QU6V Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5875f87e2fc9930463e56cbd25ca2c961ef31b45 -------------------------------- commit a48fc69f upstream. udf_readdir() didn't validate the directory position it should start reading from. Thus when user uses lseek(2) on directory file descriptor it can trick udf_readdir() into reading from a position in the middle of directory entry which then upsets directory parsing code resulting in errors or even possible kernel crashes. Similarly when the directory is modified between two readdir calls, the directory position need not be valid anymore. Add code to validate current offset in the directory. This is actually rather expensive for UDF as we need to read from the beginning of the directory and parse all directory entries. This is because in UDF a directory is just a stream of data containing directory entries and since file names are fully under user's control we cannot depend on detecting magic numbers and checksums in the header of directory entry as a malicious attacker could fake them. We skip this step if we detect that nothing changed since the last readdir call. Reported-by:Nathan Wilson <nate@chickenbrittle.com> CC: stable@vger.kernel.org Signed-off-by:
Loading
Please sign in to comment