| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Jun 2024 15:35:46 +0200 From: Jan Kara <jack@...e.cz> To: Roman Smirnov <r.smirnov@....ru> Cc: Jan Kara <jack@...e.com>, linux-kernel@...r.kernel.org, Sergey Shtylyov <s.shtylyov@....ru>, lvc-project@...uxtesting.org Subject: Re: [PATCH v2] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks() On Thu 20-06-24 10:24:13, Roman Smirnov wrote: > An overflow may occur if the function is called with the last > block and an offset greater than zero. It is necessary to add > a check to avoid this. > > Overflow is also possible when we sum offset and > sizeof(struct spaceBitmapDesc) << 3. For this reason it > is necessary to check overflow of this too. The result is > stored in total_offset. > > Found by Linux Verification Center (linuxtesting.org) with Svace. > > Suggested-by: Jan Kara <jack@...e.com> > Signed-off-by: Roman Smirnov <r.smirnov@....ru> Thanks for the patch. In the end I've noticed that unalloc table block freeing has the same overflow checks and I've decided to move bitmap offset overflow verification into mount code (so that any bitmap offset for a block within a partition cannot overflow u32). The resulting patches are attached for reference and I've queued them in my tree. Honza -- Jan Kara <jack@...e.com> SUSE Labs, CR View attachment "0001-udf-prevent-integer-overflow-in-udf_bitmap_free_bloc.patch" of type "text/x-patch" (3603 bytes) View attachment "0001-udf-Avoid-excessive-partition-lengths.patch" of type "text/x-patch" (2091 bytes)
Powered by blists - more mailing lists