| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240919195227.412583-1-gianf.trad@gmail.com>
Date: Thu, 19 Sep 2024 21:52:27 +0200
From: Gianfranco Trad <gianf.trad@...il.com>
To: jack@...e.com
Cc: linux-kernel@...r.kernel.org,
skhan@...uxfoundation.org,
Gianfranco Trad <gianf.trad@...il.com>,
syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Subject: [PATCH] udf: fix uninit-value use in udf_get_fileshortad
Syzbot reported a udf uninit-value use in udf_get_fileshortad[1].
The uninit-value use occurs when udf_get_fileshortad is called
with alen having a negative value and epos->offset being equal
to epos->bh->b_size. This check was inserted to mitigate
the uninit-value use. After applying the patch reproducer did
not trigget any issue[2].
[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=133ab69f980000
Reported-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
Tested-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Signed-off-by: Gianfranco Trad <gianf.trad@...il.com>
---
fs/udf/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 4726a4d014b6..d21665164779 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2222,6 +2222,8 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
switch (iinfo->i_alloc_type) {
case ICBTAG_FLAG_AD_SHORT:
+ if (unlikely(alen < 0 && epos->offset == epos->bh->b_size))
+ return -1;
sad = udf_get_fileshortad(ptr, alen, &epos->offset, inc);
if (!sad)
return -1;
--
2.43.0
Powered by blists - more mailing lists