[lvc-project] [PATCH] fs: udf: fix OOB read in lengthAllocDescs handling

Jan Kara jack at suse.cz
Mon Sep 22 16:35:45 MSK 2025 

On Mon 22-09-25 16:13:58, Larshin Sergey wrote:
> When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
> on-disk data and must be validated against the block size. Crafted or
> corrupted images may set lengthAllocDescs so that the total descriptor
> length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
> leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
> trigger a KASAN use-after-free read.
> 
> BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
> Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
> 
> CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
>  print_address_description mm/kasan/report.c:377 [inline]
>  print_report+0x169/0x550 mm/kasan/report.c:488
>  kasan_report+0x143/0x180 mm/kasan/report.c:601
>  crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
>  udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
>  udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
>  extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
>  udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
>  udf_release_file+0xc1/0x120 fs/udf/file.c:185
>  __fput+0x23f/0x880 fs/file_table.c:431
>  task_work_run+0x24f/0x310 kernel/task_work.c:239
>  exit_task_work include/linux/task_work.h:43 [inline]
>  do_exit+0xa2f/0x28e0 kernel/exit.c:939
>  do_group_exit+0x207/0x2c0 kernel/exit.c:1088
>  __do_sys_exit_group kernel/exit.c:1099 [inline]
>  __se_sys_exit_group kernel/exit.c:1097 [inline]
>  __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
>  x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>  </TASK>
> 
> Validate the computed total length against epos->bh->b_size.
> 
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
> 
> Reported-by: syzbot+8743fca924afed42f93e at syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable at vger.kernel.org
> 
> Signed-off-by: Larshin Sergey <Sergey.Larshin at kaspersky.com>

Thanks! I've added the patch to my tree.

								Honza

> ---
>  fs/udf/inode.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/udf/inode.c b/fs/udf/inode.c
> index f24aa98e6869..a79d73f28aa7 100644
> --- a/fs/udf/inode.c
> +++ b/fs/udf/inode.c
> @@ -2272,6 +2272,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos,
>  		if (check_add_overflow(sizeof(struct allocExtDesc),
>  				le32_to_cpu(header->lengthAllocDescs), &alen))
>  			return -1;
> +
> +		if (alen > epos->bh->b_size)
> +			return -1;
>  	}
>  
>  	switch (iinfo->i_alloc_type) {
> -- 
> 2.39.5
> 
-- 
Jan Kara <jack at suse.com>
SUSE Labs, CR

More information about the lvc-project mailing list