1. Patchew
  2. linux
  3. View series

[PATCH] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()

Roman Smirnov posted 1 patch 1 year, 8 months ago
There is a newer version of this series
fs/udf/balloc.c | 7 +++++++
1 file changed, 7 insertions(+)
[PATCH] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()
Posted by Roman Smirnov 1 year, 8 months ago 
An overflow may occur if the function is called with the last
block and an offset greater than zero. It is necessary to add
a check to avoid this.

Found by Linux Verification Center (linuxtesting.org) with Svace.

Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
---
 fs/udf/balloc.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index ab3ffc355949..cd83bbc7d890 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -151,6 +151,13 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
 	block = bloc->logicalBlockNum + offset +
 		(sizeof(struct spaceBitmapDesc) << 3);
 
+	if (block < offset + (sizeof(struct spaceBitmapDesc) << 3)) {
+		udf_debug("integer overflow: %u + %u + %zu",
+			  bloc->logicalBlockNum, offset,
+			  sizeof(struct spaceBitmapDesc) << 3);
+		goto error_return;
+	}
+
 	do {
 		overflow = 0;
 		block_group = block >> (sb->s_blocksize_bits + 3);
-- 
2.34.1
Re: [PATCH] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()
Posted by Jan Kara 1 year, 8 months ago 
On Mon 10-06-24 10:25:22, Roman Smirnov wrote:
> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>

Thanks for the patch! Actually there are overflow checks just a few lines
above the place you modify:

        if (bloc->logicalBlockNum + count < count ||
            (bloc->logicalBlockNum + count) > partmap->s_partition_len) {

So please update those to take 'offset' into account instead. Also please
use check_add_overflow() for the integer overflow check.

								Honza

> ---
>  fs/udf/balloc.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
> index ab3ffc355949..cd83bbc7d890 100644
> --- a/fs/udf/balloc.c
> +++ b/fs/udf/balloc.c
> @@ -151,6 +151,13 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
>  	block = bloc->logicalBlockNum + offset +
>  		(sizeof(struct spaceBitmapDesc) << 3);
>  
> +	if (block < offset + (sizeof(struct spaceBitmapDesc) << 3)) {
> +		udf_debug("integer overflow: %u + %u + %zu",
> +			  bloc->logicalBlockNum, offset,
> +			  sizeof(struct spaceBitmapDesc) << 3);
> +		goto error_return;
> +	}
> +
>  	do {
>  		overflow = 0;
>  		block_group = block >> (sb->s_blocksize_bits + 3);
> -- 
> 2.34.1
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR
Re: [PATCH] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()
Posted by Sergey Shtylyov 1 year, 8 months ago 
On 6/10/24 10:25 AM, Roman Smirnov wrote:

> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
> ---
>  fs/udf/balloc.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
> index ab3ffc355949..cd83bbc7d890 100644
> --- a/fs/udf/balloc.c
> +++ b/fs/udf/balloc.c
> @@ -151,6 +151,13 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
>  	block = bloc->logicalBlockNum + offset +
>  		(sizeof(struct spaceBitmapDesc) << 3);

   Hm, I can't say I understand this code well... Is the block variable here
counted in blocks or bytes?

>  

   As I've already said, we hardly need an empty line here -- just
don't add an empty line after your *if*...

> +	if (block < offset + (sizeof(struct spaceBitmapDesc) << 3)) {

   Thinking about this again, this addition may overflow 32 bits as well,
so it's better to compare with block with bloc->logicalBlockNum...

[...]

MBR, Sergey
Re: [PATCH] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()
Posted by Sergey Shtylyov 1 year, 8 months ago 
On 6/10/24 10:25 AM, Roman Smirnov wrote:

> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
> ---
>  fs/udf/balloc.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
> index ab3ffc355949..cd83bbc7d890 100644
> --- a/fs/udf/balloc.c
> +++ b/fs/udf/balloc.c
> @@ -151,6 +151,13 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
>  	block = bloc->logicalBlockNum + offset +
>  		(sizeof(struct spaceBitmapDesc) << 3);

   Hm, I can't say I understand this code well... Is the block variable here
counted in blocks or bytes?

>  

   As I've already said, we hardly need an empty line here -- just
don't add an empty line after your *if*...

> +	if (block < offset + (sizeof(struct spaceBitmapDesc) << 3)) {

   Thinking about this again, this addition may overflow 32 bits as well,
so it's better to compare block with bloc->logicalBlockNum...

[...]

MBR, Sergey

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.