udf: Check length of extended attributes and allocation descriptors

commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.

Check length of extended attributes and allocation descriptors when
loading inodes from disk. Otherwise corrupted filesystems could confuse
the code and make the kernel oops.

This fixes CVE-2015-4167.

Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
[Use make_bad_inode() instead of branching due to older implementation.]
Signed-off-by: Chas Williams <3chas3@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 287cd5f234210e0eb502d4b5cd60b2aaf402478e..142d29e3ccdfe1a541cf28af5ae171909339400b 100644 (file)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
                iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
        }
 
+       /*
+        * Sanity check length of allocation descriptors and extended attrs to
+        * avoid integer overflows
+        */
+       if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize
+                       || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
+               make_bad_inode(inode);
+               return;
+       }
+       /* Now do exact checks */
+       if (udf_file_entry_alloc_offset(inode)
+                       + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
+               make_bad_inode(inode);
+               return;
+       }
+
        switch (fe->icbTag.fileType) {
        case ICBTAG_FILE_TYPE_DIRECTORY:
                inode->i_op = &udf_dir_inode_operations;