From patchwork Thu Jun 14 15:27:40 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kara <jack@suse.cz>
X-Patchwork-Id: 10464663
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	86DDB603B4 for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Thu, 14 Jun 2018 15:28:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 748C3287B9
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Thu, 14 Jun 2018 15:28:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 66D1E287C9; Thu, 14 Jun 2018 15:28:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A75428789
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Thu, 14 Jun 2018 15:28:50 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S936004AbeFNP2c (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Thu, 14 Jun 2018 11:28:32 -0400
Received: from mx2.suse.de ([195.135.220.15]:37446 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S935934AbeFNP22 (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 14 Jun 2018 11:28:28 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext-too.suse.de [195.135.220.254])
	by mx2.suse.de (Postfix) with ESMTP id 481EAAEB6;
	Thu, 14 Jun 2018 15:28:27 +0000 (UTC)
Received: by quack2.suse.cz (Postfix, from userid 1000)
	id 14A881E0678; Thu, 14 Jun 2018 17:28:27 +0200 (CEST)
From: Jan Kara <jack@suse.cz>
To: <linux-fsdevel@vger.kernel.org>
Cc: Jan Kara <jack@suse.cz>,
	Anatoly Trosinenko <anatoly.trosinenko@gmail.com>, stable@vger.kernel.org
Subject: [PATCH 1/3] udf: Detect incorrect directory size
Date: Thu, 14 Jun 2018 17:27:40 +0200
Message-Id: <20180614152742.20640-2-jack@suse.cz>
X-Mailer: git-send-email 2.16.4
In-Reply-To: <20180614152742.20640-1-jack@suse.cz>
References: <20180614152742.20640-1-jack@suse.cz>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Detect when a directory entry is (possibly partially) beyond directory
size and return EIO in that case since it means the filesystem is
corrupted. Otherwise directory operations can further corrupt the
directory and possibly also oops the kernel.

CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
CC: stable@vger.kernel.org
Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/udf/directory.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/udf/directory.c b/fs/udf/directory.c
index 0a98a2369738..3835f983cc99 100644
--- a/fs/udf/directory.c
+++ b/fs/udf/directory.c
@@ -152,6 +152,9 @@ struct fileIdentDesc *udf_fileident_read(struct inode *dir, loff_t *nf_pos,
 			       sizeof(struct fileIdentDesc));
 		}
 	}
+	/* Got last entry outside of dir size - fs is corrupted! */
+	if (*nf_pos > dir->i_size)
+		return NULL;
 	return fi;
 }