From patchwork Wed Feb 14 10:28:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kara X-Patchwork-Id: 10218359 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8554F601C2 for ; Wed, 14 Feb 2018 10:29:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E90828C3A for ; Wed, 14 Feb 2018 10:29:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7375E28F55; Wed, 14 Feb 2018 10:29:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2945A28C3A for ; Wed, 14 Feb 2018 10:29:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967174AbeBNK3E (ORCPT ); Wed, 14 Feb 2018 05:29:04 -0500 Received: from mx2.suse.de ([195.135.220.15]:60037 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967102AbeBNK27 (ORCPT ); Wed, 14 Feb 2018 05:28:59 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 2C9CDAE9F; Wed, 14 Feb 2018 10:28:57 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id ADFF01E04EC; Wed, 14 Feb 2018 11:28:56 +0100 (CET) From: Jan Kara To: Cc: =?UTF-8?q?Pali=20Roh=C3=A1r?= , Jan Kara Subject: [PATCH 1/6] udf: Fix off-by-one in volume descriptor sequence length Date: Wed, 14 Feb 2018 11:28:45 +0100 Message-Id: <20180214102850.28755-2-jack@suse.cz> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20180214102850.28755-1-jack@suse.cz> References: <20180214102850.28755-1-jack@suse.cz> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP We pass one block beyond end of volume descriptor sequence into process_sequence() as 'lastblock' instead of the last block of the sequence. When the sequence is not terminated with TD descriptor, this could lead to false errors due to invalid blocks in volume descriptor sequence and thus unmountable volumes. Signed-off-by: Jan Kara --- fs/udf/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/udf/super.c b/fs/udf/super.c index f73239a9a97d..5c5d5fd513cc 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -1658,7 +1658,7 @@ static noinline int udf_process_sequence( next_e = le32_to_cpu( vdp->nextVolDescSeqExt.extLength); next_e = next_e >> sb->s_blocksize_bits; - next_e += next_s; + next_e += next_s - 1; } break; case TAG_IDENT_IUVD: /* ISO 13346 3/10.4 */ @@ -1760,13 +1760,13 @@ static int udf_load_sequence(struct super_block *sb, struct buffer_head *bh, main_s = le32_to_cpu(anchor->mainVolDescSeqExt.extLocation); main_e = le32_to_cpu(anchor->mainVolDescSeqExt.extLength); main_e = main_e >> sb->s_blocksize_bits; - main_e += main_s; + main_e += main_s - 1; /* Locate the reserve sequence */ reserve_s = le32_to_cpu(anchor->reserveVolDescSeqExt.extLocation); reserve_e = le32_to_cpu(anchor->reserveVolDescSeqExt.extLength); reserve_e = reserve_e >> sb->s_blocksize_bits; - reserve_e += reserve_s; + reserve_e += reserve_s - 1; /* Process the main & reserve sequences */ /* responsible for finding the PartitionDesc(s) */