lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20240919195227.412583-1-gianf.trad@gmail.com>
Date: Thu, 19 Sep 2024 21:52:27 +0200
From: Gianfranco Trad <gianf.trad@...il.com>
To: jack@...e.com
Cc: linux-kernel@...r.kernel.org,
	skhan@...uxfoundation.org,
	Gianfranco Trad <gianf.trad@...il.com>,
	syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Subject: [PATCH] udf: fix uninit-value use in udf_get_fileshortad

Syzbot reported a udf uninit-value use in udf_get_fileshortad[1].
The uninit-value use occurs when udf_get_fileshortad is called
with alen having a negative value and epos->offset being equal
to epos->bh->b_size. This check was inserted to mitigate
the uninit-value use. After applying the patch reproducer did
not trigget any issue[2].

[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=133ab69f980000

Reported-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
Tested-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Signed-off-by: Gianfranco Trad <gianf.trad@...il.com>
---
 fs/udf/inode.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 4726a4d014b6..d21665164779 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2222,6 +2222,8 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
 
 	switch (iinfo->i_alloc_type) {
 	case ICBTAG_FLAG_AD_SHORT:
+		if (unlikely(alen < 0 && epos->offset == epos->bh->b_size))
+			return -1;
 		sad = udf_get_fileshortad(ptr, alen, &epos->offset, inc);
 		if (!sad)
 			return -1;
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ