Commit e2b220f7 authored by Jan Kara's avatar Jan Kara Committed by Wupeng Ma
Browse files

udf: Avoid excessive partition lengths 

stable inclusion
from stable-v5.10.226
commit 551966371e17912564bc387fbeb2ac13077c3db1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX38
CVE: CVE-2024-46777

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=551966371e17912564bc387fbeb2ac13077c3db1

--------------------------------

[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]

Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.

Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz


Signed-off-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>

Conflicts:
	fs/udf/super.c
[Ma Wupeng: fix compile warning]
Signed-off-by: default avatarMa Wupeng <mawupeng1@huawei.com>
parent 9bdf444c

fs/udf/super.c

+15 −0
Original line number Diff line number Diff line
@@ -1076,12 +1076,19 @@ static int udf_fill_partdesc_info(struct super_block *sb, 
	struct udf_part_map *map;

	struct udf_sb_info *sbi = UDF_SB(sb);

	struct partitionHeaderDesc *phd;

	u32 sum;

	int err;



	map = &sbi->s_partmaps[p_index];



	map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */

	map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);

	if (check_add_overflow(map->s_partition_root, map->s_partition_len,

			       &sum)) {

		udf_err(sb, "Partition %d has invalid location %u + %u\n",

			p_index, map->s_partition_root, map->s_partition_len);

		return -EFSCORRUPTED;

	}



	if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))

		map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
@@ -1137,6 +1144,14 @@ static int udf_fill_partdesc_info(struct super_block *sb, 
		bitmap->s_extPosition = le32_to_cpu(

				phd->unallocSpaceBitmap.extPosition);

		map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;

		/* Check whether math over bitmap won't overflow. */

		if (check_add_overflow(map->s_partition_len,

				       (__u32)(sizeof(struct spaceBitmapDesc) << 3),

				       &sum)) {

			udf_err(sb, "Partition %d is too long (%u)\n", p_index,

				map->s_partition_len);

			return -EFSCORRUPTED;

		}

		udf_debug("unallocSpaceBitmap (part %d) @ %u\n",

			  p_index, bitmap->s_extPosition);

	}