Re: [PATCH v2] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()

From: Jan Kara
Date: Thu Jun 20 2024 - 09:38:19 EST

Next message: Tetsuo Handa: "Re: INFO: task hung in rfkill_global_led_trigger_worker (2)"
Previous message: Jakub Kicinski: "Re: [PATCH v8 3/4] dt-bindings: ethernet-phy: add optional brr-mode flag"
In reply to: Roman Smirnov: "[PATCH v2] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu 20-06-24 10:24:13, Roman Smirnov wrote:
> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
>
> Overflow is also possible when we sum offset and
> sizeof(struct spaceBitmapDesc) << 3. For this reason it
> is necessary to check overflow of this too. The result is
> stored in total_offset.
>
> Found by Linux Verification Center (linuxtesting.org) with Svace.
>
> Suggested-by: Jan Kara <jack@xxxxxxxx>
> Signed-off-by: Roman Smirnov <r.smirnov@xxxxxx>

Thanks for the patch. In the end I've noticed that unalloc table block
freeing has the same overflow checks and I've decided to move bitmap offset
overflow verification into mount code (so that any bitmap offset for a
block within a partition cannot overflow u32). The resulting patches are
attached for reference and I've queued them in my tree.

Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR

Next message: Tetsuo Handa: "Re: INFO: task hung in rfkill_global_led_trigger_worker (2)"
Previous message: Jakub Kicinski: "Re: [PATCH v8 3/4] dt-bindings: ethernet-phy: add optional brr-mode flag"
In reply to: Roman Smirnov: "[PATCH v2] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]