[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241002122909.ak4itmqzg4b2icsx@quack3>
Date: Wed, 2 Oct 2024 14:29:09 +0200
From: Jan Kara <jack@...e.cz>
To: Gianfranco Trad <gianf.trad@...il.com>
Cc: jack@...e.com, linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Subject: Re: [PATCH v2] udf: fix uninit-value use in udf_get_fileshortad
On Wed 25-09-24 09:46:15, Gianfranco Trad wrote:
> Check for overflow when computing alen in udf_current_aext to mitigate
> later uninit-value use in udf_get_fileshortad KMSAN bug[1].
> After applying the patch reproducer did not trigger any issue[2].
>
> [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
> [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
>
> Reported-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
> Tested-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
> Suggested-by: Jan Kara <jack@...e.com>
> Signed-off-by: Gianfranco Trad <gianf.trad@...il.com>
Thanks. I've added the patch to my tree.
Honza
> ---
>
> Notes:
> changes in v2:
> - use check_add_overflow helper to check for overflow.
>
> link to v1: https://lore.kernel.org/all/20240919195227.412583-1-gianf.trad@gmail.com/T/
>
> fs/udf/inode.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/fs/udf/inode.c b/fs/udf/inode.c
> index 4726a4d014b6..811a035b600f 100644
> --- a/fs/udf/inode.c
> +++ b/fs/udf/inode.c
> @@ -2215,9 +2215,10 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
> if (!epos->offset)
> epos->offset = sizeof(struct allocExtDesc);
> ptr = epos->bh->b_data + epos->offset;
> - alen = sizeof(struct allocExtDesc) +
> - le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)->
> - lengthAllocDescs);
> + if (check_add_overflow(sizeof(struct allocExtDesc),
> + le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)
> + ->lengthAllocDescs), &alen))
> + return -1;
> }
>
> switch (iinfo->i_alloc_type) {
> --
> 2.43.0
>
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
Powered by blists - more mailing lists