On Mon, Feb 06, 2023 at 10:49:18PM +0000, Nobel Barakat wrote:
> From: Jan Kara <jack@xxxxxxx>
>
> commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream
>
> udf_write_fi() uses lengthOfImpUse of the entry it is writing to.
> However this field has not yet been initialized so it either contains
> completely bogus value or value from last directory entry at that place.
> In either case this is wrong and can lead to filesystem corruption or
> kernel crashes.
>
> This patch deviates from the original upstream patch because in the original
> upstream patch, udf_get_fi_ident(sfi) was being used instead of (uint8_t *)sfi->fileIdent + liu
> as the first arg to memcpy at line 77 and line 81. Those subsequent lines have been
> replaced with what the upstream patch passes in to memcpy.
>
>
> Reported-by: butt3rflyh4ck <butterflyhuangxx@xxxxxxxxx>
> CC: stable@xxxxxxxxxxxxxxx
> Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc")
> Signed-off-by: Jan Kara <jack@xxxxxxx>
> Signed-off-by: Nobel Barakat <nobelbarakat@xxxxxxxxxx>
> ---
> fs/udf/namei.c | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
Both now queued up, thanks.
greg k-h
