1. Patchew
  2. linux
  3. View series

[PATCH] udf: validate free block extents against the partition length

Michael Bommarito posted 1 patch 1 week, 2 days ago 
fs/udf/balloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
[PATCH] udf: validate free block extents against the partition length
Posted by Michael Bommarito 1 week, 2 days ago 
udf_free_blocks() checks the logical block number and count against the
partition length, but drops the extent offset from that final bound.  A
crafted extent can pass the guard while logicalBlockNum + offset + count
points past the partition, which later indexes past the space bitmap
array.

A single ftruncate(2) on a file backed by such an extent reliably
panics the kernel.  This is a local availability issue.  On desktop
systems where UDisks/polkit allows the active user to mount removable
UDF media without CAP_SYS_ADMIN, an unprivileged local user can supply
the crafted filesystem and trigger the panic by truncating a writable
file on it.  Systems that require root or CAP_SYS_ADMIN to mount the
image have a higher prerequisite.

No confidentiality or integrity impact is claimed: the reproduced
primitive is an out-of-bounds read of a bitmap pointer slot followed by
a kernel panic.

Use the already computed logicalBlockNum + offset + count value for the
partition length check.  Also make load_block_bitmap() reject an
out-of-range block group before indexing s_block_bitmap[], so corrupted
callers cannot walk past the flexible array.

Fixes: 56e69e59751d ("udf: prevent integer overflow in udf_bitmap_free_blocks()")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 fs/udf/balloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index 807c493ed0cd..cc6dc6e1d84d 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -82,8 +82,9 @@ static int load_block_bitmap(struct super_block *sb,
 	int nr_groups = bitmap->s_nr_groups;
 
 	if (block_group >= nr_groups) {
-		udf_debug("block_group (%u) > nr_groups (%d)\n",
+		udf_debug("block_group (%u) >= nr_groups (%d)\n",
 			  block_group, nr_groups);
+		return -EFSCORRUPTED;
 	}
 
 	if (bitmap->s_block_bitmap[block_group]) {
@@ -662,7 +663,7 @@ void udf_free_blocks(struct super_block *sb, struct inode *inode,
 
 	if (check_add_overflow(bloc->logicalBlockNum, offset, &blk) ||
 	    check_add_overflow(blk, count, &blk) ||
-	    bloc->logicalBlockNum + count > map->s_partition_len) {
+	    blk > map->s_partition_len) {
 		udf_debug("Invalid request to free blocks: (%d, %u), off %u, "
 			  "len %u, partition len %u\n",
 			  partition, bloc->logicalBlockNum, offset, count,
-- 
2.53.0
Re: [PATCH] udf: validate free block extents against the partition length
Posted by Jan Kara 6 days, 22 hours ago 
On Fri 15-05-26 10:23:27, Michael Bommarito wrote:
> udf_free_blocks() checks the logical block number and count against the
> partition length, but drops the extent offset from that final bound.  A
> crafted extent can pass the guard while logicalBlockNum + offset + count
> points past the partition, which later indexes past the space bitmap
> array.
> 
> A single ftruncate(2) on a file backed by such an extent reliably
> panics the kernel.  This is a local availability issue.  On desktop
> systems where UDisks/polkit allows the active user to mount removable
> UDF media without CAP_SYS_ADMIN, an unprivileged local user can supply
> the crafted filesystem and trigger the panic by truncating a writable
> file on it.  Systems that require root or CAP_SYS_ADMIN to mount the
> image have a higher prerequisite.
> 
> No confidentiality or integrity impact is claimed: the reproduced
> primitive is an out-of-bounds read of a bitmap pointer slot followed by
> a kernel panic.
> 
> Use the already computed logicalBlockNum + offset + count value for the
> partition length check.  Also make load_block_bitmap() reject an
> out-of-range block group before indexing s_block_bitmap[], so corrupted
> callers cannot walk past the flexible array.
> 
> Fixes: 56e69e59751d ("udf: prevent integer overflow in udf_bitmap_free_blocks()")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>

Thanks! I've added the patch to my tree.

								Honza

> ---
>  fs/udf/balloc.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
> index 807c493ed0cd..cc6dc6e1d84d 100644
> --- a/fs/udf/balloc.c
> +++ b/fs/udf/balloc.c
> @@ -82,8 +82,9 @@ static int load_block_bitmap(struct super_block *sb,
>  	int nr_groups = bitmap->s_nr_groups;
>  
>  	if (block_group >= nr_groups) {
> -		udf_debug("block_group (%u) > nr_groups (%d)\n",
> +		udf_debug("block_group (%u) >= nr_groups (%d)\n",
>  			  block_group, nr_groups);
> +		return -EFSCORRUPTED;
>  	}
>  
>  	if (bitmap->s_block_bitmap[block_group]) {
> @@ -662,7 +663,7 @@ void udf_free_blocks(struct super_block *sb, struct inode *inode,
>  
>  	if (check_add_overflow(bloc->logicalBlockNum, offset, &blk) ||
>  	    check_add_overflow(blk, count, &blk) ||
> -	    bloc->logicalBlockNum + count > map->s_partition_len) {
> +	    blk > map->s_partition_len) {
>  		udf_debug("Invalid request to free blocks: (%d, %u), off %u, "
>  			  "len %u, partition len %u\n",
>  			  partition, bloc->logicalBlockNum, offset, count,
> -- 
> 2.53.0
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.