From patchwork Tue Jun 13 03:22:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenchao Hao X-Patchwork-Id: 106641 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp2635147vqr; Mon, 12 Jun 2023 07:39:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4oLKCFFRBnX5syO93FXC4wHVjQYzvcqCEinpqIMpBny+afz15TUn99hzYTI0Qf5HaRFlko X-Received: by 2002:a17:907:e8a:b0:977:c5b1:974b with SMTP id ho10-20020a1709070e8a00b00977c5b1974bmr10547333ejc.34.1686580756595; Mon, 12 Jun 2023 07:39:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686580756; cv=none; d=google.com; s=arc-20160816; b=za6GxvtLUbjbz0ph+4mcicnlGgmmgce4GO1nbikiRJV4FW0ow+b11By2lOfuTi78JU EL45MQavW8qD+OD14lodmGvowFYySq9fKzRkJ+HvlcftVJdZxInJUEbJQXJqrCWf6Gyy 5PPy8XjXRowxbUfwGWKzU7NufGRAy9APEy0X1JDRF5xJ6twFUFisN0ea8jQSNja2IWsE oeeUP9kh4ylJuJzV9jnEjrMS6xsdki6e7BQ/H2V17cIbJRmXrvg/ydphdTpiLExf5xzu IsrsfErkgCcKGvpppoH/AOByQE6itBNtJRett9Fk5UF5rArfFf1/LFe7mi/hrKAboqBd wlDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=3mDE8bK7CaVyfQLe1vWaLKWYmaXjFZ259walPwcUoRo=; b=VHoKEml+46a7zspSvIqXBMNfs5eYKVgzveusVYWfxJ6vEZ5Jvrs7KQ+r+VmjNIj2c4 44ZaAuqwIQn1r1okmlVWRVMxpI9h1G0PHrLjiv0eW9s9bPEs1hi0eBAR/1vcJuv0UVP9 rSTYe6Dbxki9rvikogaDyoTaUigfxik33UqjeuO7LrJvpeQpXP4qSx7MSSxPjcgPlLNj zn9PypI4ZdnUmPasuKu4HKjnAdSYaLyhxgHad9CL/pxHMnjuYQHF9Xa9hcxR7a58SJyy L3sWJGve6pXNS167tioH05QJ8Nrvcqj4mWzuz0B+rOy3mYoD+0k1qo/d2yM+qvsWcPjM wr6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qc6-20020a170906d8a600b009787f2afa2csi5333308ejb.197.2023.06.12.07.38.51; Mon, 12 Jun 2023 07:39:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236652AbjFLOBN (ORCPT + 99 others); Mon, 12 Jun 2023 10:01:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236219AbjFLOA5 (ORCPT ); Mon, 12 Jun 2023 10:00:57 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B59D310D9 for ; Mon, 12 Jun 2023 07:00:54 -0700 (PDT) Received: from kwepemm600012.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4QftYR4Th3zLqLh; Mon, 12 Jun 2023 21:57:47 +0800 (CST) Received: from build.huawei.com (10.175.101.6) by kwepemm600012.china.huawei.com (7.193.23.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Mon, 12 Jun 2023 22:00:51 +0800 From: Wenchao Hao To: Jan Kara , CC: , Wenchao Hao Subject: [PATCH 1/2] udf: add helper function udf_check_tagged_bh to check tagged page Date: Tue, 13 Jun 2023 11:22:53 +0800 Message-ID: <20230613032254.1235752-2-haowenchao2@huawei.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20230613032254.1235752-1-haowenchao2@huawei.com> References: <20230613032254.1235752-1-haowenchao2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To kwepemm600012.china.huawei.com (7.193.23.74) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DATE_IN_FUTURE_12_24, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768508103832594490?= X-GMAIL-MSGID: =?utf-8?q?1768508103832594490?= This helper function is used to check if a buffer head's data is valid and would be called in future. Signed-off-by: Wenchao Hao --- fs/udf/misc.c | 60 ++++++++++++++++++++++++++++-------------------- fs/udf/udfdecl.h | 1 + 2 files changed, 36 insertions(+), 25 deletions(-) diff --git a/fs/udf/misc.c b/fs/udf/misc.c index 3777468d06ce..b20b53fc8d41 100644 --- a/fs/udf/misc.c +++ b/fs/udf/misc.c @@ -179,6 +179,40 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type, return NULL; } +bool udf_check_tagged_bh(struct super_block *sb, struct buffer_head *bh) +{ + u8 checksum; + struct tag *tag_p = (struct tag *)(bh->b_data); + + /* Verify the tag checksum */ + checksum = udf_tag_checksum(tag_p); + if (checksum != tag_p->tagChecksum) { + udf_err(sb, "tag checksum failed, block %llu: 0x%02x != 0x%02x\n", + bh->b_blocknr, checksum, tag_p->tagChecksum); + return false; + } + + /* Verify the tag version */ + if (tag_p->descVersion != cpu_to_le16(0x0002U) && + tag_p->descVersion != cpu_to_le16(0x0003U)) { + udf_err(sb, "tag version 0x%04x != 0x0002 || 0x0003, block %llu\n", + le16_to_cpu(tag_p->descVersion), bh->b_blocknr); + return false; + } + + /* Verify the descriptor CRC */ + if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize || + le16_to_cpu(tag_p->descCRC) == crc_itu_t(0, + bh->b_data + sizeof(struct tag), + le16_to_cpu(tag_p->descCRCLength))) + return true; + + udf_debug("Crc failure block %llu: crc = %u, crclen = %u\n", bh->b_blocknr, + le16_to_cpu(tag_p->descCRC), + le16_to_cpu(tag_p->descCRCLength)); + return false; +} + /* * udf_read_tagged * @@ -194,7 +228,6 @@ struct buffer_head *udf_read_tagged(struct super_block *sb, uint32_t block, { struct tag *tag_p; struct buffer_head *bh = NULL; - u8 checksum; /* Read the block */ if (block == 0xFFFFFFFF) @@ -217,32 +250,9 @@ struct buffer_head *udf_read_tagged(struct super_block *sb, uint32_t block, goto error_out; } - /* Verify the tag checksum */ - checksum = udf_tag_checksum(tag_p); - if (checksum != tag_p->tagChecksum) { - udf_err(sb, "tag checksum failed, block %u: 0x%02x != 0x%02x\n", - block, checksum, tag_p->tagChecksum); - goto error_out; - } - - /* Verify the tag version */ - if (tag_p->descVersion != cpu_to_le16(0x0002U) && - tag_p->descVersion != cpu_to_le16(0x0003U)) { - udf_err(sb, "tag version 0x%04x != 0x0002 || 0x0003, block %u\n", - le16_to_cpu(tag_p->descVersion), block); - goto error_out; - } - - /* Verify the descriptor CRC */ - if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize || - le16_to_cpu(tag_p->descCRC) == crc_itu_t(0, - bh->b_data + sizeof(struct tag), - le16_to_cpu(tag_p->descCRCLength))) + if (udf_check_tagged_bh(sb, bh)) return bh; - udf_debug("Crc failure block %u: crc = %u, crclen = %u\n", block, - le16_to_cpu(tag_p->descCRC), - le16_to_cpu(tag_p->descCRCLength)); error_out: brelse(bh); return NULL; diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h index 88692512a466..fb269752b9c6 100644 --- a/fs/udf/udfdecl.h +++ b/fs/udf/udfdecl.h @@ -180,6 +180,7 @@ extern struct genericFormat *udf_add_extendedattr(struct inode *, uint32_t, uint32_t, uint8_t); extern struct genericFormat *udf_get_extendedattr(struct inode *, uint32_t, uint8_t); +extern bool udf_check_tagged_bh(struct super_block *sb, struct buffer_head *bh); extern struct buffer_head *udf_read_tagged(struct super_block *, uint32_t, uint32_t, uint16_t *); extern struct buffer_head *udf_read_ptagged(struct super_block *, From patchwork Tue Jun 13 03:22:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenchao Hao X-Patchwork-Id: 106604 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp2617326vqr; Mon, 12 Jun 2023 07:11:34 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5UGbh2ayZ/enIz+Rqz1STE2Hl5/StFMnuVK6idvufeXAZN2VyUHRDcmZxrGFMnO5H2zhXE X-Received: by 2002:a05:6a00:3a28:b0:643:b653:3aa with SMTP id fj40-20020a056a003a2800b00643b65303aamr9542263pfb.32.1686579093856; Mon, 12 Jun 2023 07:11:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686579093; cv=none; d=google.com; s=arc-20160816; b=W1gjQQxhrXiw85PdZYeF0+tILA++pr9/yYK5XTW5o/m190nZlZa6aGY03cW59P/mHf kxM6Aoi9aKl2sf5uqbywDg/t2OOiGo7nC/bCrBhixwKsHOuFnhitmwOPLOY16kpKh0P+ q1UvjR96QL/ihSxwdETu15+OHdQjycE0QXqS4R6ghagbUMDLnI3Rwh+OP6lJNY/rRc4g s/U7cXrBaOudylIGzGzXIUggZwzQavOxUxXUEUKrk0iF/S9lFJEtoHA+XTCmFtN66Wv9 X5p0iL1vDJxxLpF93NlQVIszo8/6JdO2eTe9kWIHzGPpVAhrGZPZZxiLSXfGfJvmuuyM BGrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=dsXBeIKmiuqk2B6ZSL3uQsgcMPef5MttmsFYHwb3vi8=; b=UGCeClyzDUGNEzIPo0uq+Fh4SyGaNl1EjDjwfnGEG/tr/w8mrwDxFCs2meODkDlDII Xwt+MlGBiuEVFFbli40sjBVh3MXNv/4B+jFjoF66ALexS4SHB+RycAAbmswSq/apOTXR 8TKfaiRzy5Vl0AXKAs0s/CvspTuh3L88qdQpZ9NHUdH8B2iyLXP9G85WADLwOhKkDHoM SCHMzdQdJpncuvG0F656AEJcAK8nML3YbfmpxyKzx4yXVdSkWhDZJ1NNuJh3/zthkOgm mr1NaZehC4ODBZHl28xxNKVUpyUzNfN2ZQJLZtRasKSr0nodeZ2AQKBT/oMEbSMXdNJD x11g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d7-20020aa797a7000000b00643c4d0d0f5si6954440pfq.39.2023.06.12.07.11.19; Mon, 12 Jun 2023 07:11:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236758AbjFLOBI (ORCPT + 99 others); Mon, 12 Jun 2023 10:01:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47090 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236177AbjFLOA5 (ORCPT ); Mon, 12 Jun 2023 10:00:57 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B603310E6 for ; Mon, 12 Jun 2023 07:00:54 -0700 (PDT) Received: from kwepemm600012.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4QftcS0cSHzTl2s; Mon, 12 Jun 2023 22:00:24 +0800 (CST) Received: from build.huawei.com (10.175.101.6) by kwepemm600012.china.huawei.com (7.193.23.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Mon, 12 Jun 2023 22:00:51 +0800 From: Wenchao Hao To: Jan Kara , CC: , Wenchao Hao Subject: [PATCH 2/2] udf:check if buffer head's data when getting lvidiu Date: Tue, 13 Jun 2023 11:22:54 +0800 Message-ID: <20230613032254.1235752-3-haowenchao2@huawei.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20230613032254.1235752-1-haowenchao2@huawei.com> References: <20230613032254.1235752-1-haowenchao2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To kwepemm600012.china.huawei.com (7.193.23.74) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DATE_IN_FUTURE_12_24, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768506359990317348?= X-GMAIL-MSGID: =?utf-8?q?1768506359990317348?= We can not always assume udf_sb_info->s_lvid_bh's data is valid. If the data is corrupted, we would get an incorrect offset and cause the following code access an illegal address. Signed-off-by: Wenchao Hao --- fs/udf/super.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/udf/super.c b/fs/udf/super.c index 6304e3c5c3d9..71481b60c871 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -114,6 +114,8 @@ struct logicalVolIntegrityDescImpUse *udf_sb_lvidiu(struct super_block *sb) if (!UDF_SB(sb)->s_lvid_bh) return NULL; + if (!udf_check_tagged_bh(sb, UDF_SB(sb)->s_lvid_bh)) + return NULL; lvid = (struct logicalVolIntegrityDesc *)UDF_SB(sb)->s_lvid_bh->b_data; partnum = le32_to_cpu(lvid->numOfPartitions); /* The offset is to skip freeSpaceTable and sizeTable arrays */