On Sun 28-07-19 14:19:12, Steve Magnani wrote:
> The UDF bitmap allocation code assumes that a recorded
> Unallocated Space Bitmap is compliant with ECMA-167 4/13,
> which requires that pad bytes between the end of the bitmap
> and the end of a logical block are all zero.
>
> When a recorded bitmap does not comply with this requirement,
> for example one padded with FF to the block boundary instead
> of 00, the allocator may "allocate" blocks that are outside
> the UDF partition extent. This can result in UDF volume descriptors
> being overwritten by file data or by partition-level descriptors,
> and in extreme cases, even in scribbling on a subsequent disk partition.
>
> Add a check that the block selected by the allocator actually
> resides within the UDF partition extent.
>
> Signed-off-by: Steven J. Magnani <steve@xxxxxxxxxxxxxxx>
Thanks for the patch! Added to my tree. I've just slightly modified the
patch to also output error message about filesystem corruption.
Honza
>
> --- a/fs/udf/balloc.c 2019-07-26 11:35:28.249563705 -0500
> +++ b/fs/udf/balloc.c 2019-07-28 13:11:25.061431597 -0500
> @@ -325,6 +325,13 @@ got_block:
> newblock = bit + (block_group << (sb->s_blocksize_bits + 3)) -
> (sizeof(struct spaceBitmapDesc) << 3);
>
> + if (newblock >= sbi->s_partmaps[partition].s_partition_len) {
> + /* Ran off the end of the bitmap,
> + * and bits following are non-compliant (not all zero)
> + */
> + goto error_return;
> + }
> +
> if (!udf_clear_bit(bit, bh->b_data)) {
> udf_debug("bit already cleared for block %d\n", bit);
> goto repeat;
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
