Commit a47241cd authored by Alden Tondettar's avatar Alden Tondettar Committed by Jan Kara

udf: Prevent stack overflow on corrupted filesystem mount

Presently, a corrupted or malicious UDF filesystem containing a very large
number (or cycle) of Logical Volume Integrity Descriptor extent
indirections may trigger a stack overflow and kernel panic in
udf_load_logicalvolint() on mount.

Replace the unnecessary recursion in udf_load_logicalvolint() with
simple iteration. Set an arbitrary limit of 1000 indirections (which would
have almost certainly overflowed the stack without this fix), and treat
such cases as if there were no LVID.
Signed-off-by: default avatarAlden Tondettar <alden.tondettar@gmail.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent c26f6c61
...@@ -78,6 +78,15 @@ ...@@ -78,6 +78,15 @@
#define VSD_FIRST_SECTOR_OFFSET 32768 #define VSD_FIRST_SECTOR_OFFSET 32768
#define VSD_MAX_SECTOR_OFFSET 0x800000 #define VSD_MAX_SECTOR_OFFSET 0x800000
/*
* Maximum number of Terminating Descriptor / Logical Volume Integrity
* Descriptor redirections. The chosen numbers are arbitrary - just that we
* hopefully don't limit any real use of rewritten inode on write-once media
* but avoid looping for too long on corrupted media.
*/
#define UDF_MAX_TD_NESTING 64
#define UDF_MAX_LVID_NESTING 1000
enum { UDF_MAX_LINKS = 0xffff }; enum { UDF_MAX_LINKS = 0xffff };
/* These are the "meat" - everything else is stuffing */ /* These are the "meat" - everything else is stuffing */
...@@ -1541,42 +1550,52 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, ...@@ -1541,42 +1550,52 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
} }
/* /*
* udf_load_logicalvolint * Find the prevailing Logical Volume Integrity Descriptor.
*
*/ */
static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_ad loc) static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_ad loc)
{ {
struct buffer_head *bh = NULL; struct buffer_head *bh, *final_bh;
uint16_t ident; uint16_t ident;
struct udf_sb_info *sbi = UDF_SB(sb); struct udf_sb_info *sbi = UDF_SB(sb);
struct logicalVolIntegrityDesc *lvid; struct logicalVolIntegrityDesc *lvid;
int indirections = 0;
while (++indirections <= UDF_MAX_LVID_NESTING) {
final_bh = NULL;
while (loc.extLength > 0 && while (loc.extLength > 0 &&
(bh = udf_read_tagged(sb, loc.extLocation, (bh = udf_read_tagged(sb, loc.extLocation,
loc.extLocation, &ident)) && loc.extLocation, &ident))) {
ident == TAG_IDENT_LVID) { if (ident != TAG_IDENT_LVID) {
sbi->s_lvid_bh = bh; brelse(bh);
lvid = (struct logicalVolIntegrityDesc *)bh->b_data; break;
}
if (lvid->nextIntegrityExt.extLength) brelse(final_bh);
udf_load_logicalvolint(sb, final_bh = bh;
leea_to_cpu(lvid->nextIntegrityExt));
if (sbi->s_lvid_bh != bh)
brelse(bh);
loc.extLength -= sb->s_blocksize; loc.extLength -= sb->s_blocksize;
loc.extLocation++; loc.extLocation++;
} }
if (sbi->s_lvid_bh != bh)
brelse(bh); if (!final_bh)
return;
brelse(sbi->s_lvid_bh);
sbi->s_lvid_bh = final_bh;
lvid = (struct logicalVolIntegrityDesc *)final_bh->b_data;
if (lvid->nextIntegrityExt.extLength == 0)
return;
loc = leea_to_cpu(lvid->nextIntegrityExt);
}
udf_warn(sb, "Too many LVID indirections (max %u), ignoring.\n",
UDF_MAX_LVID_NESTING);
brelse(sbi->s_lvid_bh);
sbi->s_lvid_bh = NULL;
} }
/*
* Maximum number of Terminating Descriptor redirections. The chosen number is
* arbitrary - just that we hopefully don't limit any real use of rewritten
* inode on write-once media but avoid looping for too long on corrupted media.
*/
#define UDF_MAX_TD_NESTING 64
/* /*
* Process a main/reserve volume descriptor sequence. * Process a main/reserve volume descriptor sequence.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment