lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1454538786-12215-51-git-send-email-luis.henriques@canonical.com>
Date:	Wed,  3 Feb 2016 22:30:56 +0000
From:	Luis Henriques <luis.henriques@...onical.com>
To:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	kernel-team@...ts.ubuntu.com
Cc:	Vegard Nossum <vegard.nossum@...cle.com>, Jan Kara <jack@...e.com>,
	Quentin Casasnovas <quentin.casasnovas@...cle.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Jan Kara <jack@...e.cz>,
	Luis Henriques <luis.henriques@...onical.com>
Subject: [PATCH 3.16.y-ckt 050/180] udf: limit the maximum number of indirect extents in a row

3.16.7-ckt24 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Vegard Nossum <vegard.nossum@...cle.com>

commit b0918d9f476a8434b055e362b83fa4fd1d462c3f upstream.

udf_next_aext() just follows extent pointers while extents are marked as
indirect. This can loop forever for corrupted filesystem. Limit number
the of indirect extents we are willing to follow in a row.

[JK: Updated changelog, limit, style]

Signed-off-by: Vegard Nossum <vegard.nossum@...cle.com>
Cc: Jan Kara <jack@...e.com>
Cc: Quentin Casasnovas <quentin.casasnovas@...cle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Jan Kara <jack@...e.cz>
Signed-off-by: Luis Henriques <luis.henriques@...onical.com>
---
 fs/udf/inode.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 9a46e23cb769..c2b1e6aa8dbd 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2074,14 +2074,29 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos,
 		epos->offset += adsize;
 }
 
+/*
+ * Only 1 indirect extent in a row really makes sense but allow upto 16 in case
+ * someone does some weird stuff.
+ */
+#define UDF_MAX_INDIR_EXTS 16
+
 int8_t udf_next_aext(struct inode *inode, struct extent_position *epos,
 		     struct kernel_lb_addr *eloc, uint32_t *elen, int inc)
 {
 	int8_t etype;
+	unsigned int indirections = 0;
 
 	while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) ==
 	       (EXT_NEXT_EXTENT_ALLOCDECS >> 30)) {
 		int block;
+
+		if (++indirections > UDF_MAX_INDIR_EXTS) {
+			udf_err(inode->i_sb,
+				"too many indirect extents in inode %lu\n",
+				inode->i_ino);
+			return -1;
+		}
+
 		epos->block = *eloc;
 		epos->offset = sizeof(struct allocExtDesc);
 		brelse(epos->bh);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ