[PATCH 12/12 linux-next] udf: check partition reference in udf_read_inode()

From: Fabian Frederick
Date: Fri Jan 06 2017 - 15:55:23 EST

Next message: Fabian Frederick: "[PATCH 11/12 linux-next] udf: replace 0xFFFFFFFF by ~0"
Previous message: Fabian Frederick: "[PATCH 08/12 linux-next] udf: remove next_epos from udf_update_extent_cache()"
In reply to: Fabian Frederick: "[PATCH 10/12 linux-next] udf: atomically read inode size"
Next in thread: Fabian Frederick: "[PATCH 11/12 linux-next] udf: replace 0xFFFFFFFF by ~0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We were checking block number without checking partition.
sbi->s_partmaps[iloc->partitionReferenceNum] could lead to
bad memory access. See udf_nfs_get_inode() path for instance.

Signed-off-by: Fabian Frederick <fabf@xxxxxxxxx>
---
fs/udf/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 47638eb..3926973 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1276,6 +1276,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode)
int ret = -EIO;

reread:
+ if (iloc->partitionReferenceNum >= sbi->s_partitions) {
+ udf_debug("partition reference: %d > logical volume partitions: %d\n",
+ iloc->partitionReferenceNum, sbi->s_partitions);
+ return -EIO;
+ }
+
if (iloc->logicalBlockNum >=
sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {
udf_debug("block=%d, partition=%d out of range\n",
--
2.7.4

Next message: Fabian Frederick: "[PATCH 11/12 linux-next] udf: replace 0xFFFFFFFF by ~0"
Previous message: Fabian Frederick: "[PATCH 08/12 linux-next] udf: remove next_epos from udf_update_extent_cache()"
In reply to: Fabian Frederick: "[PATCH 10/12 linux-next] udf: atomically read inode size"
Next in thread: Fabian Frederick: "[PATCH 11/12 linux-next] udf: replace 0xFFFFFFFF by ~0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]