udf_get_extendedattr() had no boundary checks.

[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ] When parsing the ExtendedAttr data, malicous or corrupt attribute length could cause kernel hangs and buffer overruns in some special cases. Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Stian Skjelstad <stian.skjelstad@gmail.com> 2021-08-22 11:33:32 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-09-22 11:41:19 +0200
commit: 983d381214ec8f9327597430c31dc0e00d8c1cd7 (patch)
tree: 6fea42b07a72ddaf560eaaee19f6f1954678c13a /fs
parent: cd097bedd6d534a024d40f93cdd6c7f495d1b705 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index 71d1c25f360d..8c7f9ea251e5 100644
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -175,13 +175,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type,
 		else
 			offset = le32_to_cpu(eahd->appAttrLocation);
 
-		while (offset < iinfo->i_lenEAttr) {
+		while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {
+			uint32_t attrLength;
+
 			gaf = (struct genericFormat *)&ea[offset];
+			attrLength = le32_to_cpu(gaf->attrLength);
+
+			/* Detect undersized elements and buffer overflows */
+			if ((attrLength < sizeof(*gaf)) ||
+			    (attrLength > (iinfo->i_lenEAttr - offset)))
+				break;
+
 			if (le32_to_cpu(gaf->attrType) == type &&
 					gaf->attrSubtype == subtype)
 				return gaf;
 			else
-				offset += le32_to_cpu(gaf->attrLength);
+				offset += attrLength;
 		}
 	}
author	Stian Skjelstad <stian.skjelstad@gmail.com>	2021-08-22 11:33:32 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-09-22 11:41:19 +0200
commit	983d381214ec8f9327597430c31dc0e00d8c1cd7 (patch)
tree	6fea42b07a72ddaf560eaaee19f6f1954678c13a /fs
parent	cd097bedd6d534a024d40f93cdd6c7f495d1b705 (diff)