fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+)
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
udf_release_file+0xc1/0x120 fs/udf/file.c:185
__fput+0x23f/0x880 fs/file_table.c:431
task_work_run+0x24f/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Validate the computed total length against epos->bh->b_size.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Larshin Sergey <Sergey.Larshin@kaspersky.com>
---
fs/udf/inode.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index f24aa98e6869..a79d73f28aa7 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2272,6 +2272,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos,
if (check_add_overflow(sizeof(struct allocExtDesc),
le32_to_cpu(header->lengthAllocDescs), &alen))
return -1;
+
+ if (alen > epos->bh->b_size)
+ return -1;
}
switch (iinfo->i_alloc_type) {
--
2.39.5On Mon 22-09-25 16:13:58, Larshin Sergey wrote:
> When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
> on-disk data and must be validated against the block size. Crafted or
> corrupted images may set lengthAllocDescs so that the total descriptor
> length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
> leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
> trigger a KASAN use-after-free read.
>
> BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
> Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
>
> CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
> udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
> udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
> extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
> udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
> udf_release_file+0xc1/0x120 fs/udf/file.c:185
> __fput+0x23f/0x880 fs/file_table.c:431
> task_work_run+0x24f/0x310 kernel/task_work.c:239
> exit_task_work include/linux/task_work.h:43 [inline]
> do_exit+0xa2f/0x28e0 kernel/exit.c:939
> do_group_exit+0x207/0x2c0 kernel/exit.c:1088
> __do_sys_exit_group kernel/exit.c:1099 [inline]
> __se_sys_exit_group kernel/exit.c:1097 [inline]
> __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
> x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> </TASK>
>
> Validate the computed total length against epos->bh->b_size.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Larshin Sergey <Sergey.Larshin@kaspersky.com>
Thanks! I've added the patch to my tree.
Honza
> ---
> fs/udf/inode.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/udf/inode.c b/fs/udf/inode.c
> index f24aa98e6869..a79d73f28aa7 100644
> --- a/fs/udf/inode.c
> +++ b/fs/udf/inode.c
> @@ -2272,6 +2272,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos,
> if (check_add_overflow(sizeof(struct allocExtDesc),
> le32_to_cpu(header->lengthAllocDescs), &alen))
> return -1;
> +
> + if (alen > epos->bh->b_size)
> + return -1;
> }
>
> switch (iinfo->i_alloc_type) {
> --
> 2.39.5
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
© 2016 - 2025 Red Hat, Inc.