diff mbox series

[2/2] udf:check if buffer head's data when getting lvidiu

Message ID 20230613032254.1235752-3-haowenchao2@huawei.com
State New
Headers
Series Fix out-of-bound access if pagecache of udf device is corrupted |

Commit Message

Wenchao Hao June 13, 2023, 3:22 a.m. UTC 
  We can not always assume udf_sb_info->s_lvid_bh's data is valid. If the
data is corrupted, we would get an incorrect offset and cause the
following code access an illegal address.

Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
---
 fs/udf/super.c | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/fs/udf/super.c b/fs/udf/super.c
index 6304e3c5c3d9..71481b60c871 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -114,6 +114,8 @@  struct logicalVolIntegrityDescImpUse *udf_sb_lvidiu(struct super_block *sb)
 
 	if (!UDF_SB(sb)->s_lvid_bh)
 		return NULL;
+	if (!udf_check_tagged_bh(sb, UDF_SB(sb)->s_lvid_bh))
+		return NULL;
 	lvid = (struct logicalVolIntegrityDesc *)UDF_SB(sb)->s_lvid_bh->b_data;
 	partnum = le32_to_cpu(lvid->numOfPartitions);
 	/* The offset is to skip freeSpaceTable and sizeTable arrays */