[PATCH] udf: fix uninit-value use in udf_get_fileshortad

From: Gianfranco Trad
Date: Thu Sep 19 2024 - 15:53:07 EST


Syzbot reported a udf uninit-value use in udf_get_fileshortad[1].
The uninit-value use occurs when udf_get_fileshortad is called
with alen having a negative value and epos->offset being equal
to epos->bh->b_size. This check was inserted to mitigate
the uninit-value use. After applying the patch reproducer did
not trigget any issue[2].

[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=133ab69f980000

Reported-by: syzbot+8901c4560b7ab5c2f9df@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
Tested-by: syzbot+8901c4560b7ab5c2f9df@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Gianfranco Trad <gianf.trad@xxxxxxxxx>
---
fs/udf/inode.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 4726a4d014b6..d21665164779 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2222,6 +2222,8 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,

switch (iinfo->i_alloc_type) {
case ICBTAG_FLAG_AD_SHORT:
+ if (unlikely(alen < 0 && epos->offset == epos->bh->b_size))
+ return -1;
sad = udf_get_fileshortad(ptr, alen, &epos->offset, inc);
if (!sad)
return -1;
--
2.43.0