Commit d747b31e authored Jan 03, 2023 by Jan Kara Committed by Greg Kroah-Hartman Mar 11, 2023

udf: Detect system inodes linked into directory hierarchy



commit 85a37983ec69cc9fcd188bc37c4de15ee326355a upstream.

When UDF filesystem is corrupted, hidden system inodes can be linked
into directory hierarchy which is an avenue for further serious
corruption of the filesystem and kernel confusion as noticed by syzbot
fuzzed images. Refuse to access system inodes linked into directory
hierarchy and vice versa.

CC: stable@vger.kernel.org
Reported-by:  <syzbot+38695a20b8addcbc1084@syzkaller.appspotmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent ce17ef97

fs/udf/inode.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -1900,8 +1900,13 @@ struct inode __udf_iget(struct super_block sb, struct kernel_lb_addr *ino,
		if (!inode)
		return ERR_PTR(-ENOMEM);

		if (!(inode->i_state & I_NEW))
		if (!(inode->i_state & I_NEW)) {
		if (UDF_I(inode)->i_hidden != hidden_inode) {
		iput(inode);
		return ERR_PTR(-EFSCORRUPTED);
		}
		return inode;
		}

		memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
		err = udf_read_inode(inode, hidden_inode);