30 lines
1.2 KiB
Diff
30 lines
1.2 KiB
Diff
From: Jan Kara <jack@suse.cz>
|
|
Date: Tue, 10 Jul 2012 17:58:04 +0200
|
|
Subject: udf: Improve table length check to avoid possible overflow
|
|
|
|
When a partition table length is corrupted to be close to 1 << 32, the
|
|
check for its length may overflow on 32-bit systems and we will think
|
|
the length is valid. Later on the kernel can crash trying to read beyond
|
|
end of buffer. Fix the check to avoid possible overflow.
|
|
|
|
CC: stable@vger.kernel.org
|
|
Reported-by: Ben Hutchings <ben@decadent.org.uk>
|
|
Signed-off-by: Jan Kara <jack@suse.cz>
|
|
---
|
|
fs/udf/super.c | 2 +-
|
|
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
|
|
diff --git a/fs/udf/super.c b/fs/udf/super.c
|
|
index 8a75838..dcbf987 100644
|
|
--- a/fs/udf/super.c
|
|
+++ b/fs/udf/super.c
|
|
@@ -1340,7 +1340,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
|
|
BUG_ON(ident != TAG_IDENT_LVD);
|
|
lvd = (struct logicalVolDesc *)bh->b_data;
|
|
table_len = le32_to_cpu(lvd->mapTableLength);
|
|
- if (sizeof(*lvd) + table_len > sb->s_blocksize) {
|
|
+ if (table_len > sb->s_blocksize - sizeof(*lvd)) {
|
|
udf_err(sb, "error loading logical volume descriptor: "
|
|
"Partition table too long (%u > %lu)\n", table_len,
|
|
sb->s_blocksize - sizeof(*lvd));
|