[v1] udf: fix uninit-value use in udf_get_fileshortad

[PATCH] udf: fix uninit-value use in udf_get_fileshortad

Gianfranco Trad posted 1 patch 1 year, 4 months ago

Diff against v2
Download mbox

There is a newer version of this series

fs/udf/inode.c | 2 ++
1 file changed, 2 insertions(+)

Expand all Fold all

[PATCH] udf: fix uninit-value use in udf_get_fileshortad

Posted by Gianfranco Trad 1 year, 4 months ago

Syzbot reported a udf uninit-value use in udf_get_fileshortad[1].
The uninit-value use occurs when udf_get_fileshortad is called
with alen having a negative value and epos->offset being equal
to epos->bh->b_size. This check was inserted to mitigate
the uninit-value use. After applying the patch reproducer did
not trigget any issue[2].

[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=133ab69f980000

Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
---
 fs/udf/inode.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 4726a4d014b6..d21665164779 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2222,6 +2222,8 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
 
 	switch (iinfo->i_alloc_type) {
 	case ICBTAG_FLAG_AD_SHORT:
+		if (unlikely(alen < 0 && epos->offset == epos->bh->b_size))
+			return -1;
 		sad = udf_get_fileshortad(ptr, alen, &epos->offset, inc);
 		if (!sad)
 			return -1;
-- 
2.43.0