From: Jan Kara jack@suse.cz
commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream
udf_write_fi() uses lengthOfImpUse of the entry it is writing to. However this field has not yet been initialized so it either contains completely bogus value or value from last directory entry at that place. In either case this is wrong and can lead to filesystem corruption or kernel crashes.
This patch deviates from the original upstream patch because in the original upstream patch, udf_get_fi_ident(sfi) was being used instead of (uint8_t *)sfi->fileIdent + liu as the first arg to memcpy at line 77 and line 81. Those subsequent lines have been replaced with what the upstream patch passes in to memcpy.
Reported-by: butt3rflyh4ck butterflyhuangxx@gmail.com CC: stable@vger.kernel.org Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc") Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Nobel Barakat nobelbarakat@google.com --- fs/udf/namei.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/udf/namei.c b/fs/udf/namei.c index 77b6d89b9bcd..cbd6ad54a23b 100644 --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -74,12 +74,11 @@ int udf_write_fi(struct inode *inode, struct fileIdentDesc *cfi,
if (fileident) { if (adinicb || (offset + lfi < 0)) { - memcpy((uint8_t *)sfi->fileIdent + liu, fileident, lfi); + memcpy(sfi->impUse + liu, fileident, lfi); } else if (offset >= 0) { memcpy(fibh->ebh->b_data + offset, fileident, lfi); } else { - memcpy((uint8_t *)sfi->fileIdent + liu, fileident, - -offset); + memcpy(sfi->impUse + liu, fileident, -offset); memcpy(fibh->ebh->b_data, fileident - offset, lfi + offset); } @@ -88,11 +87,11 @@ int udf_write_fi(struct inode *inode, struct fileIdentDesc *cfi, offset += lfi;
if (adinicb || (offset + padlen < 0)) { - memset((uint8_t *)sfi->padding + liu + lfi, 0x00, padlen); + memset(sfi->impUse + liu + lfi, 0x00, padlen); } else if (offset >= 0) { memset(fibh->ebh->b_data + offset, 0x00, padlen); } else { - memset((uint8_t *)sfi->padding + liu + lfi, 0x00, -offset); + memset(sfi->impUse + liu + lfi, 0x00, -offset); memset(fibh->ebh->b_data, 0x00, padlen + offset); }
-- 2.39.1.519.gcb327c4b5f-goog
On Mon, Feb 06, 2023 at 10:49:18PM +0000, Nobel Barakat wrote:
From: Jan Kara jack@suse.cz
commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream
udf_write_fi() uses lengthOfImpUse of the entry it is writing to. However this field has not yet been initialized so it either contains completely bogus value or value from last directory entry at that place. In either case this is wrong and can lead to filesystem corruption or kernel crashes.
This patch deviates from the original upstream patch because in the original upstream patch, udf_get_fi_ident(sfi) was being used instead of (uint8_t *)sfi->fileIdent + liu as the first arg to memcpy at line 77 and line 81. Those subsequent lines have been replaced with what the upstream patch passes in to memcpy.
Reported-by: butt3rflyh4ck butterflyhuangxx@gmail.com CC: stable@vger.kernel.org Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc") Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Nobel Barakat nobelbarakat@google.com
fs/udf/namei.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
Both now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org