On Sat 28-02-15 20:23:32, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
>
> The patch below does not apply to the 3.19-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@xxxxxxxxxxxxxxx>.
Strange. It applies fine to 3.19 for me. Can you check what has happened?
Honza
>
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> From 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 Mon Sep 17 00:00:00 2001
> From: Jan Kara <jack@xxxxxxx>
> Date: Wed, 7 Jan 2015 13:49:08 +0100
> Subject: [PATCH] udf: Check length of extended attributes and allocation
> descriptors
>
> Check length of extended attributes and allocation descriptors when
> loading inodes from disk. Otherwise corrupted filesystems could confuse
> the code and make the kernel oops.
>
> Reported-by: Carl Henrik Lunde <chlunde@xxxxxxxxxxx>
> CC: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Jan Kara <jack@xxxxxxx>
>
> diff --git a/fs/udf/inode.c b/fs/udf/inode.c
> index 95cb6970c3ea..7b72b7dd8906 100644
> --- a/fs/udf/inode.c
> +++ b/fs/udf/inode.c
> @@ -1487,6 +1487,15 @@ reread:
> }
> inode->i_generation = iinfo->i_unique;
>
> + /*
> + * Sanity check length of allocation descriptors and extended attrs to
> + * avoid integer overflows
> + */
> + if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs)
> + goto out;
> + /* Now do exact checks */
> + if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs)
> + goto out;
> /* Sanity checks for files in ICB so that we don't get confused later */
> if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
> /*
>
--
Jan Kara <jack@xxxxxxx>
SUSE Labs, CR
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html