| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Jan 2017 21:54:43 +0100
From: Fabian Frederick <fabf@...net.be>
To: Jan Kara <jack@...e.com>
Cc: fabf@...net.be, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: [PATCH 12/12 linux-next] udf: check partition reference in udf_read_inode()
We were checking block number without checking partition.
sbi->s_partmaps[iloc->partitionReferenceNum] could lead to
bad memory access. See udf_nfs_get_inode() path for instance.
Signed-off-by: Fabian Frederick <fabf@...net.be>
---
fs/udf/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 47638eb..3926973 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1276,6 +1276,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode)
int ret = -EIO;
reread:
+ if (iloc->partitionReferenceNum >= sbi->s_partitions) {
+ udf_debug("partition reference: %d > logical volume partitions: %d\n",
+ iloc->partitionReferenceNum, sbi->s_partitions);
+ return -EIO;
+ }
+
if (iloc->logicalBlockNum >=
sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {
udf_debug("block=%d, partition=%d out of range\n",
--
2.7.4
Powered by blists - more mailing lists