[3.16.y-ckt stable] Patch "udf: Verify i_size when loading inode" has been added to staging queue

Wed Jan 7 12:19:23 UTC 2015

On Wed, Jan 07, 2015 at 10:32:44AM +0000, Luis Henriques wrote:
> This is a note to let you know that I have just added a patch titled
> 
>     udf: Verify i_size when loading inode
> 
> to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
> which can be found at:
> 
>  http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.16.y-queue
> 
> This patch is scheduled to be released in version 3.16.7-ckt4.
> 
> If you, or anyone else, feels it should not be added to this tree, please 
> reply to this email.
> 
> For more information about the 3.16.y-ckt tree, see
> https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
> 
> Thanks.
> -Luis
> 
> ------
> 
> From edd21866e3a0f68561878915f21bb2f92325af75 Mon Sep 17 00:00:00 2001
> From: Jan Kara <jack at suse.cz>
> Date: Fri, 19 Dec 2014 12:03:53 +0100
> Subject: udf: Verify i_size when loading inode
> 
> commit e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 upstream.
>

Actually, since the 3.16 kernel is missing commit 6d3d5e860a11 ("udf:
Make udf_read_inode() and udf_iget() return error"), this commit can't
be simply cherry-picked.

Do you think the backport bellow is acceptable, or would you recommend
to just drop it?

Cheers,
--
Luís

>From d15bd4d875fb9cf9f05573eb9fa31bfce93263f3 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack at suse.cz>
Date: Fri, 19 Dec 2014 12:03:53 +0100
Subject: [PATCH] udf: Verify i_size when loading inode

commit e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 upstream.

Verify that inode size is sane when loading inode with data stored in
ICB. Otherwise we may get confused later when working with the inode and
inode size is too big.

Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
Signed-off-by: Jan Kara <jack at suse.cz>
[ luis: backported to 3.16:
  - Adjusted exit paths as commit 6d3d5e860a11 ("udf: Make udf_read_inode()
    and udf_iget() return error") is not present in 3.16 kernel ]
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 fs/udf/inode.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index a932f7740b51..bf08a9fbb97e 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1496,6 +1496,24 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
 		iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
 	}
 
+	/* Sanity checks for files in ICB so that we don't get confused later */
+	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+		/*
+		 * For file in ICB data is stored in allocation descriptor
+		 * so sizes should match
+		 */
+		if (iinfo->i_lenAlloc != inode->i_size) {
+			make_bad_inode(inode);
+			return;
+		}
+		/* File in ICB has to fit in there... */
+		if (inode->i_size > inode->i_sb->s_blocksize -
+					udf_file_entry_alloc_offset(inode)) {
+			make_bad_inode(inode);
+			return;
+		}
+	}
+
 	switch (fe->icbTag.fileType) {
 	case ICBTAG_FILE_TYPE_DIRECTORY:
 		inode->i_op = &udf_dir_inode_operations;
-- 
2.1.4



