lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20240611074850.tiaieba2bswwck6d@quack3>
Date: Tue, 11 Jun 2024 09:48:50 +0200
From: Jan Kara <jack@...e.cz>
To: Roman Smirnov <r.smirnov@....ru>
Cc: Jan Kara <jack@...e.com>, linux-kernel@...r.kernel.org,
	Sergey Shtylyov <s.shtylyov@....ru>, lvc-project@...uxtesting.org
Subject: Re: [PATCH] udf: balloc: prevent integer overflow in
 udf_bitmap_free_blocks()

On Mon 10-06-24 10:25:22, Roman Smirnov wrote:
> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Signed-off-by: Roman Smirnov <r.smirnov@....ru>

Thanks for the patch! Actually there are overflow checks just a few lines
above the place you modify:

        if (bloc->logicalBlockNum + count < count ||
            (bloc->logicalBlockNum + count) > partmap->s_partition_len) {

So please update those to take 'offset' into account instead. Also please
use check_add_overflow() for the integer overflow check.

								Honza

> ---
>  fs/udf/balloc.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
> index ab3ffc355949..cd83bbc7d890 100644
> --- a/fs/udf/balloc.c
> +++ b/fs/udf/balloc.c
> @@ -151,6 +151,13 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
>  	block = bloc->logicalBlockNum + offset +
>  		(sizeof(struct spaceBitmapDesc) << 3);
>  
> +	if (block < offset + (sizeof(struct spaceBitmapDesc) << 3)) {
> +		udf_debug("integer overflow: %u + %u + %zu",
> +			  bloc->logicalBlockNum, offset,
> +			  sizeof(struct spaceBitmapDesc) << 3);
> +		goto error_return;
> +	}
> +
>  	do {
>  		overflow = 0;
>  		block_group = block >> (sb->s_blocksize_bits + 3);
> -- 
> 2.34.1
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ