linux/fs/udf
Jan Kara a48fc69fe6 udf: Fix crash after seekdir
udf_readdir() didn't validate the directory position it should start
reading from. Thus when user uses lseek(2) on directory file descriptor
it can trick udf_readdir() into reading from a position in the middle of
directory entry which then upsets directory parsing code resulting in
errors or even possible kernel crashes. Similarly when the directory is
modified between two readdir calls, the directory position need not be
valid anymore.

Add code to validate current offset in the directory. This is actually
rather expensive for UDF as we need to read from the beginning of the
directory and parse all directory entries. This is because in UDF a
directory is just a stream of data containing directory entries and
since file names are fully under user's control we cannot depend on
detecting magic numbers and checksums in the header of directory entry
as a malicious attacker could fake them. We skip this step if we detect
that nothing changed since the last readdir call.

Reported-by: Nathan Wilson <nate@chickenbrittle.com>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
2021-11-09 12:53:58 +01:00
..
balloc.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
dir.c udf: Fix crash after seekdir 2021-11-09 12:53:58 +01:00
directory.c udf: Remove pointless union in udf_inode_info 2020-09-29 17:21:54 +02:00
ecma_167.h udf: Get rid of 0-length arrays in struct fileIdentDesc 2021-08-11 16:54:44 +02:00
file.c mm: require ->set_page_dirty to be explicitly wired up 2021-06-29 10:53:48 -07:00
ialloc.c inode: make init and permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
inode.c udf: Get rid of 0-length arrays in struct fileIdentDesc 2021-08-11 16:54:44 +02:00
Kconfig docs: filesystems: fix renamed references 2020-04-20 15:45:22 -06:00
lowlevel.c udf: use sb_bdev_nr_blocks 2021-10-18 14:43:23 -06:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
misc.c udf_get_extendedattr() had no boundary checks. 2021-08-23 13:35:19 +02:00
namei.c udf: Fix crash after seekdir 2021-11-09 12:53:58 +01:00
osta_udf.h udf: Get rid of 0-length arrays 2021-08-11 16:54:44 +02:00
partition.c udf: Remove pointless union in udf_inode_info 2020-09-29 17:21:54 +02:00
super.c udf: Fix crash after seekdir 2021-11-09 12:53:58 +01:00
symlink.c fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
truncate.c udf: Fix spelling in EXT_NEXT_EXTENT_ALLOCDESCS 2020-01-08 11:11:46 +01:00
udf_i.h udf: Remove pointless union in udf_inode_info 2020-09-29 17:21:54 +02:00
udf_sb.h udf: Fix iocharset=utf8 mount option 2021-08-12 16:07:09 +02:00
udfdecl.h udf: Get rid of 0-length arrays in struct fileIdentDesc 2021-08-11 16:54:44 +02:00
udfend.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udftime.c udf: convert inode stamps to timespec64 2018-06-27 13:58:00 +02:00
unicode.c udf: Fix iocharset=utf8 mount option 2021-08-12 16:07:09 +02:00