From patchwork Fri Jan 6 20:54:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabian Frederick X-Patchwork-Id: 9501801 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 826086070F for ; Fri, 6 Jan 2017 20:55:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77EB628524 for ; Fri, 6 Jan 2017 20:55:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6D0AE28526; Fri, 6 Jan 2017 20:55:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 15EE128527 for ; Fri, 6 Jan 2017 20:55:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161631AbdAFUzB (ORCPT ); Fri, 6 Jan 2017 15:55:01 -0500 Received: from mailrelay112.isp.belgacom.be ([195.238.20.139]:31101 "EHLO mailrelay112.isp.belgacom.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1161876AbdAFUy6 (ORCPT ); Fri, 6 Jan 2017 15:54:58 -0500 X-Belgacom-Dynamic: yes X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2DJAgADA3BY/2ZisVteHQEFAQsBgzkBA?= =?us-ascii?q?QEBAR9AgSuNV3KRVgGScIIPggmGIgKBVUAUAQIBAQEBAQEBYyiEaQYnLyMQGSY?= =?us-ascii?q?SOR4GE4hjEbI0OoofAQEIKIZFjw0FmxWRRwKQWUiSCR84gSEYGIZaPTWIZgEBA?= =?us-ascii?q?Q?= X-IPAS-Result: =?us-ascii?q?A2DJAgADA3BY/2ZisVteHQEFAQsBgzkBAQEBAR9AgSuNV3K?= =?us-ascii?q?RVgGScIIPggmGIgKBVUAUAQIBAQEBAQEBYyiEaQYnLyMQGSYSOR4GE4hjEbI0O?= =?us-ascii?q?oofAQEIKIZFjw0FmxWRRwKQWUiSCR84gSEYGIZaPTWIZgEBAQ?= Received: from 102.98-177-91.adsl-dyn.isp.belgacom.be (HELO inkjet2.lan) ([91.177.98.102]) by relay.skynet.be with ESMTP; 06 Jan 2017 21:54:55 +0100 From: Fabian Frederick To: Jan Kara Cc: fabf@skynet.be, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH 12/12 linux-next] udf: check partition reference in udf_read_inode() Date: Fri, 6 Jan 2017 21:54:43 +0100 Message-Id: <1483736083-25193-3-git-send-email-fabf@skynet.be> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1483736083-25193-1-git-send-email-fabf@skynet.be> References: <1483736037-25111-1-git-send-email-fabf@skynet.be> <1483736083-25193-1-git-send-email-fabf@skynet.be> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP We were checking block number without checking partition. sbi->s_partmaps[iloc->partitionReferenceNum] could lead to bad memory access. See udf_nfs_get_inode() path for instance. Signed-off-by: Fabian Frederick --- fs/udf/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 47638eb..3926973 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1276,6 +1276,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode) int ret = -EIO; reread: + if (iloc->partitionReferenceNum >= sbi->s_partitions) { + udf_debug("partition reference: %d > logical volume partitions: %d\n", + iloc->partitionReferenceNum, sbi->s_partitions); + return -EIO; + } + if (iloc->logicalBlockNum >= sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) { udf_debug("block=%d, partition=%d out of range\n",