On Wed 25-09-24 09:46:15, Gianfranco Trad wrote:
Check for overflow when computing alen in udf_current_aext to mitigate
later uninit-value use in udf_get_fileshortad KMSAN bug[1].
After applying the patch reproducer did not trigger any issue[2].
[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
Reported-by: syzbot+8901c4560b7ab5c2f9df@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
Tested-by: syzbot+8901c4560b7ab5c2f9df@xxxxxxxxxxxxxxxxxxxxxxxxx
Suggested-by: Jan Kara <jack@xxxxxxxx>
Signed-off-by: Gianfranco Trad <gianf.trad@xxxxxxxxx>
Thanks. I've added the patch to my tree.
Honza
---
Notes:
changes in v2:
- use check_add_overflow helper to check for overflow.
link to v1: https://lore.kernel.org/all/20240919195227.412583-1-gianf.trad@xxxxxxxxx/T/
fs/udf/inode.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 4726a4d014b6..811a035b600f 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2215,9 +2215,10 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
if (!epos->offset)
epos->offset = sizeof(struct allocExtDesc);
ptr = epos->bh->b_data + epos->offset;
- alen = sizeof(struct allocExtDesc) +
- le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)->
- lengthAllocDescs);
+ if (check_add_overflow(sizeof(struct allocExtDesc),
+ le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)
+ ->lengthAllocDescs), &alen))
+ return -1;
}
switch (iinfo->i_alloc_type) {
--
2.43.0