[lvc-project] [PATCH v2] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()

Jan Kara jack at suse.cz
Thu Jun 20 16:35:46 MSK 2024


On Thu 20-06-24 10:24:13, Roman Smirnov wrote:
> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
> 
> Overflow is also possible when we sum offset and
> sizeof(struct spaceBitmapDesc) << 3. For this reason it
> is necessary to check overflow of this too. The result is
> stored in total_offset.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Suggested-by: Jan Kara <jack at suse.com>
> Signed-off-by: Roman Smirnov <r.smirnov at omp.ru>

Thanks for the patch. In the end I've noticed that unalloc table block
freeing has the same overflow checks and I've decided to move bitmap offset
overflow verification into mount code (so that any bitmap offset for a
block within a partition cannot overflow u32). The resulting patches are
attached for reference and I've queued them in my tree.

								Honza
-- 
Jan Kara <jack at suse.com>
SUSE Labs, CR
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-udf-prevent-integer-overflow-in-udf_bitmap_free_bloc.patch
Type: text/x-patch
Size: 3603 bytes
Desc: not available
URL: <http://linuxtesting.org/pipermail/lvc-project/attachments/20240620/bb5b07bf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-udf-Avoid-excessive-partition-lengths.patch
Type: text/x-patch
Size: 2090 bytes
Desc: not available
URL: <http://linuxtesting.org/pipermail/lvc-project/attachments/20240620/bb5b07bf/attachment-0001.bin>


More information about the lvc-project mailing list