1. Patchew
  2. linux
  3. View series

[PATCH v2] udf: Check consistency of Space Bitmap Descriptor

Vladislav Efanov posted 1 patch 3 years, 2 months ago 
fs/udf/balloc.c  | 24 ++++++++++++++++++++++++
fs/udf/udfdecl.h |  1 +
2 files changed, 25 insertions(+)
[PATCH v2] udf: Check consistency of Space Bitmap Descriptor
Posted by Vladislav Efanov 3 years, 2 months ago 
Bits, which are related to Bitmap Descriptor logical blocks,
are not reset when buffer headers are allocated for them. As the
result, these logical blocks can be treated as free and
be used for other blocks.This can cause usage of one buffer header
for several types of data. UDF issues WARNING in this situation:

WARNING: CPU: 0 PID: 2703 at fs/udf/inode.c:2014
  __udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014

RIP: 0010:__udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014
Call Trace:
 udf_setup_indirect_aext+0x573/0x880 fs/udf/inode.c:1980
 udf_add_aext+0x208/0x2e0 fs/udf/inode.c:2067
 udf_insert_aext fs/udf/inode.c:2233 [inline]
 udf_update_extents fs/udf/inode.c:1181 [inline]
 inode_getblk+0x1981/0x3b70 fs/udf/inode.c:885

Found by Linux Verification Center (linuxtesting.org) with syzkaller.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Vladislav Efanov <VEfanov@ispras.ru>
---
v2: Do not clear bits related to Bitmap Descriptor logical blocks,
but return -EFSCORRUPTED error instead.
 fs/udf/balloc.c  | 24 ++++++++++++++++++++++++
 fs/udf/udfdecl.h |  1 +
 2 files changed, 25 insertions(+)

diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index 8e597db4d971..ce28d2567f91 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -37,6 +37,11 @@ static int read_block_bitmap(struct super_block *sb,
 {
 	struct buffer_head *bh = NULL;
 	int retval = 0;
+	int i;
+	int max_bits = 0;
+	int max_bits_1st;
+	int max_bits_others;
+	int rest_bits;
 	struct kernel_lb_addr loc;
 
 	loc.logicalBlockNum = bitmap->s_extPosition;
@@ -47,6 +52,25 @@ static int read_block_bitmap(struct super_block *sb,
 		retval = -EIO;
 
 	bitmap->s_block_bitmap[bitmap_nr] = bh;
+	/* Check consistency of Space Bitmap buffer. */
+	if (bh) {
+		max_bits_others = sb->s_blocksize * 8;
+		max_bits_1st = max_bits_others - (sizeof(struct spaceBitmapDesc) << 3);
+		rest_bits = (bitmap->s_nr_groups > max_bits_1st) ?
+					bitmap->s_nr_groups - max_bits_1st : 0;
+		if (!bitmap_nr)
+			max_bits = min(max_bits_1st, bitmap->s_nr_groups);
+		else if (bitmap_nr < rest_bits / max_bits_others + 1)
+			max_bits = max_bits_others;
+		else if (bitmap_nr == rest_bits / max_bits_others + 1)
+			max_bits = rest_bits % max_bits_others;
+		for (i = 0; i < max_bits; i++) {
+			if (udf_test_bit(i + (bitmap_nr ? 0 :
+				(sizeof(struct spaceBitmapDesc) << 3)),
+				 bh->b_data))
+				return -EFSCORRUPTED;
+		}
+	}
 	return retval;
 }
 
diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
index 7e258f15b8ef..130290ae3329 100644
--- a/fs/udf/udfdecl.h
+++ b/fs/udf/udfdecl.h
@@ -16,6 +16,7 @@
 #include "udfend.h"
 #include "udf_i.h"
 
+#define EFSCORRUPTED	EUCLEAN		/* Filesystem is corrupted */
 #define UDF_DEFAULT_PREALLOC_BLOCKS	8
 
 extern __printf(3, 4) void _udf_err(struct super_block *sb,
-- 
2.34.1
Re: [PATCH v2] udf: Check consistency of Space Bitmap Descriptor
Posted by Jan Kara 3 years, 2 months ago 
On Thu 02-02-23 17:04:56, Vladislav Efanov wrote:
> Bits, which are related to Bitmap Descriptor logical blocks,
> are not reset when buffer headers are allocated for them. As the
> result, these logical blocks can be treated as free and
> be used for other blocks.This can cause usage of one buffer header
> for several types of data. UDF issues WARNING in this situation:
> 
> WARNING: CPU: 0 PID: 2703 at fs/udf/inode.c:2014
>   __udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014
> 
> RIP: 0010:__udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014
> Call Trace:
>  udf_setup_indirect_aext+0x573/0x880 fs/udf/inode.c:1980
>  udf_add_aext+0x208/0x2e0 fs/udf/inode.c:2067
>  udf_insert_aext fs/udf/inode.c:2233 [inline]
>  udf_update_extents fs/udf/inode.c:1181 [inline]
>  inode_getblk+0x1981/0x3b70 fs/udf/inode.c:885
> 
> Found by Linux Verification Center (linuxtesting.org) with syzkaller.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Vladislav Efanov <VEfanov@ispras.ru>
> ---
> v2: Do not clear bits related to Bitmap Descriptor logical blocks,
> but return -EFSCORRUPTED error instead.
>  fs/udf/balloc.c  | 24 ++++++++++++++++++++++++
>  fs/udf/udfdecl.h |  1 +
>  2 files changed, 25 insertions(+)

Thanks for the fix!

>  	bitmap->s_block_bitmap[bitmap_nr] = bh;
> +	/* Check consistency of Space Bitmap buffer. */
> +	if (bh) {
> +		max_bits_others = sb->s_blocksize * 8;
> +		max_bits_1st = max_bits_others - (sizeof(struct spaceBitmapDesc) << 3);
> +		rest_bits = (bitmap->s_nr_groups > max_bits_1st) ?
> +					bitmap->s_nr_groups - max_bits_1st : 0;
> +		if (!bitmap_nr)
> +			max_bits = min(max_bits_1st, bitmap->s_nr_groups);
> +		else if (bitmap_nr < rest_bits / max_bits_others + 1)
> +			max_bits = max_bits_others;

So this should be using DIV_ROUND_UP() instead of plain division and + 1
AFAICT. Anyway, I've somewhat simplified these conditions to make things a
bit more obvious and applied your patch. The result is attached for your
reference.

> +		else if (bitmap_nr == rest_bits / max_bits_others + 1)
> +			max_bits = rest_bits % max_bits_others;
> +		for (i = 0; i < max_bits; i++) {
> +			if (udf_test_bit(i + (bitmap_nr ? 0 :
> +				(sizeof(struct spaceBitmapDesc) << 3)),
> +				 bh->b_data))
> +				return -EFSCORRUPTED;
> +		}
> +	}


								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.