This is a note to let you know that I've just added the patch titled
udf: Avoid using stale lengthOfImpUse
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
udf-avoid-using-stale-lengthofimpuse.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From c1ad35dd0548ce947d97aaf92f7f2f9a202951cf Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@xxxxxxx>
Date: Tue, 10 May 2022 12:36:04 +0200
Subject: udf: Avoid using stale lengthOfImpUse
From: Jan Kara <jack@xxxxxxx>
commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream.
udf_write_fi() uses lengthOfImpUse of the entry it is writing to.
However this field has not yet been initialized so it either contains
completely bogus value or value from last directory entry at that place.
In either case this is wrong and can lead to filesystem corruption or
kernel crashes.
Reported-by: butt3rflyh4ck <butterflyhuangxx@xxxxxxxxx>
CC: stable@xxxxxxxxxxxxxxx
Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc")
Signed-off-by: Jan Kara <jack@xxxxxxx>
[ This patch deviates from the original upstream patch because in the
original upstream patch, udf_get_fi_ident(sfi) was being used instead of
(uint8_t *)sfi->fileIdent + liu as the first arg to memcpy at line 77
and line 81. Those subsequent lines have been replaced with what the
upstream patch passes in to memcpy. ]
Signed-off-by: Nobel Barakat <nobelbarakat@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/udf/namei.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -75,12 +75,11 @@ int udf_write_fi(struct inode *inode, st
if (fileident) {
if (adinicb || (offset + lfi < 0)) {
- memcpy((uint8_t *)sfi->fileIdent + liu, fileident, lfi);
+ memcpy(sfi->impUse + liu, fileident, lfi);
} else if (offset >= 0) {
memcpy(fibh->ebh->b_data + offset, fileident, lfi);
} else {
- memcpy((uint8_t *)sfi->fileIdent + liu, fileident,
- -offset);
+ memcpy(sfi->impUse + liu, fileident, -offset);
memcpy(fibh->ebh->b_data, fileident - offset,
lfi + offset);
}
@@ -89,11 +88,11 @@ int udf_write_fi(struct inode *inode, st
offset += lfi;
if (adinicb || (offset + padlen < 0)) {
- memset((uint8_t *)sfi->padding + liu + lfi, 0x00, padlen);
+ memset(sfi->impUse + liu + lfi, 0x00, padlen);
} else if (offset >= 0) {
memset(fibh->ebh->b_data + offset, 0x00, padlen);
} else {
- memset((uint8_t *)sfi->padding + liu + lfi, 0x00, -offset);
+ memset(sfi->impUse + liu + lfi, 0x00, -offset);
memset(fibh->ebh->b_data, 0x00, padlen + offset);
}
Patches currently in stable-queue which might be from jack@xxxxxxx are
queue-5.4/udf-avoid-using-stale-lengthofimpuse.patch
