Patch "udf: Detect system inodes linked into directory hierarchy" has been added to the 5.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 06 Mar 2023 14:44:21 +0100

This is a note to let you know that I've just added the patch titled

    udf: Detect system inodes linked into directory hierarchy

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     udf-detect-system-inodes-linked-into-directory-hierarchy.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 85a37983ec69cc9fcd188bc37c4de15ee326355a Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@xxxxxxx>
Date: Tue, 3 Jan 2023 10:03:35 +0100
Subject: udf: Detect system inodes linked into directory hierarchy

From: Jan Kara <jack@xxxxxxx>

commit 85a37983ec69cc9fcd188bc37c4de15ee326355a upstream.

When UDF filesystem is corrupted, hidden system inodes can be linked
into directory hierarchy which is an avenue for further serious
corruption of the filesystem and kernel confusion as noticed by syzbot
fuzzed images. Refuse to access system inodes linked into directory
hierarchy and vice versa.

CC: stable@xxxxxxxxxxxxxxx
Reported-by: syzbot+38695a20b8addcbc1084@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Jan Kara <jack@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/udf/inode.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1900,8 +1900,13 @@ struct inode *__udf_iget(struct super_bl
 	if (!inode)
 		return ERR_PTR(-ENOMEM);
 
-	if (!(inode->i_state & I_NEW))
+	if (!(inode->i_state & I_NEW)) {
+		if (UDF_I(inode)->i_hidden != hidden_inode) {
+			iput(inode);
+			return ERR_PTR(-EFSCORRUPTED);
+		}
 		return inode;
+	}
 
 	memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
 	err = udf_read_inode(inode, hidden_inode);


Patches currently in stable-queue which might be from jack@xxxxxxx are

queue-5.4/udf-fix-file-corruption-when-appending-just-after-end-of-preallocated-extent.patch
queue-5.4/udf-do-not-update-file-length-for-failed-writes-to-inline-files.patch
queue-5.4/udf-truncate-added-extents-on-failed-expansion.patch
queue-5.4/udf-detect-system-inodes-linked-into-directory-hierarchy.patch
queue-5.4/udf-do-not-bother-merging-very-long-extents.patch
queue-5.4/udf-define-efscorrupted-error-code.patch
queue-5.4/udf-preserve-link-count-of-system-files.patch






