!11735 fix CVE-2024-46777 for SP1 (de626630) · Commits · EulixOS / Software / Kernel

fs/udf/super.c

+15 −0

Original line number	Diff line number	Diff line
		@@ -1074,12 +1074,19 @@ static int udf_fill_partdesc_info(struct super_block *sb,
		struct udf_part_map *map;
		struct udf_sb_info *sbi = UDF_SB(sb);
		struct partitionHeaderDesc *phd;
		u32 sum;
		int err;

		map = &sbi->s_partmaps[p_index];

		map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
		map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
		if (check_add_overflow(map->s_partition_root, map->s_partition_len,
		&sum)) {
		udf_err(sb, "Partition %d has invalid location %u + %u\n",
		p_index, map->s_partition_root, map->s_partition_len);
		return -EFSCORRUPTED;
		}

		if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
		map->s_partition_flags \|= UDF_PART_FLAG_READ_ONLY;
		@@ -1135,6 +1142,14 @@ static int udf_fill_partdesc_info(struct super_block *sb,
		bitmap->s_extPosition = le32_to_cpu(
		phd->unallocSpaceBitmap.extPosition);
		map->s_partition_flags \|= UDF_PART_FLAG_UNALLOC_BITMAP;
		/* Check whether math over bitmap won't overflow. */
		if (check_add_overflow(map->s_partition_len,
		(__u32)(sizeof(struct spaceBitmapDesc) << 3),
		&sum)) {
		udf_err(sb, "Partition %d is too long (%u)\n", p_index,
		map->s_partition_len);
		return -EFSCORRUPTED;
		}
		udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
		p_index, bitmap->s_extPosition);
		}

+2 −0

Original line number	Diff line number	Diff line
		@@ -51,6 +51,8 @@
		#define MF_DUPLICATE_MD 0x01
		#define MF_MIRROR_FE_LOADED 0x02

		#define EFSCORRUPTED EUCLEAN

		struct udf_meta_data {
		__u32 s_meta_file_loc;
		__u32 s_mirror_file_loc;