Skip to content

Commit

Permalink
udf: Avoid using stale lengthOfImpUse
Browse files Browse the repository at this point in the history 
udf_write_fi() uses lengthOfImpUse of the entry it is writing to.
However this field has not yet been initialized so it either contains
completely bogus value or value from last directory entry at that place.
In either case this is wrong and can lead to filesystem corruption or
kernel crashes.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
CC: stable@vger.kernel.org
Fixes: 979a6e2 ("udf: Get rid of 0-length arrays in struct fileIdentDesc")
Signed-off-by: Jan Kara <jack@suse.cz>
  • Loading branch information
@jankara
jankara committed May 10, 2022
1 parent 846a335 commit c1ad35d
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions fs/udf/namei.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,11 +75,11 @@ int udf_write_fi(struct inode *inode, struct fileIdentDesc *cfi,

if (fileident) {
if (adinicb || (offset + lfi < 0)) {
memcpy(udf_get_fi_ident(sfi), fileident, lfi);
memcpy(sfi->impUse + liu, fileident, lfi);
} else if (offset >= 0) {
memcpy(fibh->ebh->b_data + offset, fileident, lfi);
} else {
memcpy(udf_get_fi_ident(sfi), fileident, -offset);
memcpy(sfi->impUse + liu, fileident, -offset);
memcpy(fibh->ebh->b_data, fileident - offset,
lfi + offset);
}
Expand All @@ -88,11 +88,11 @@ int udf_write_fi(struct inode *inode, struct fileIdentDesc *cfi,
offset += lfi;

if (adinicb || (offset + padlen < 0)) {
memset(udf_get_fi_ident(sfi) + lfi, 0x00, padlen);
memset(sfi->impUse + liu + lfi, 0x00, padlen);
} else if (offset >= 0) {
memset(fibh->ebh->b_data + offset, 0x00, padlen);
} else {
memset(udf_get_fi_ident(sfi) + lfi, 0x00, -offset);
memset(sfi->impUse + liu + lfi, 0x00, -offset);
memset(fibh->ebh->b_data, 0x00, padlen + offset);
}

Expand Down

0 comments on commit c1ad35d

Please sign in to comment.