udf: Detect system inodes linked into directory hierarchy

[ Upstream commit 85a37983ec69cc9fcd188bc37c4de15ee326355a ] When UDF filesystem is corrupted, hidden system inodes can be linked into directory hierarchy which is an avenue for further serious corruption of the filesystem and kernel confusion as noticed by syzbot fuzzed images. Refuse to access system inodes linked into directory hierarchy and vice versa. CC: stable@vger.kernel.org Reported-by: syzbot+38695a20b8addcbc1084@syzkaller.appspotmail.com Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Jan Kara <jack@suse.cz> 2023-01-03 10:03:35 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-03-17 08:31:42 +0100
commit: 1dc71eeb198a8daa17d0c995998a53b0b749a158 (patch)
tree: 62fefd23c8bab7d849df2b747607783660a3228e
parent: ec852375bb9766b0c205fb95fb19b28319655644 (diff)
download: msm-1dc71eeb198a8daa17d0c995998a53b0b749a158.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 7436337914b1..77421e65623a 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1871,8 +1871,13 @@ struct inode *__udf_iget(struct super_block *sb, struct kernel_lb_addr *ino,
 	if (!inode)
 		return ERR_PTR(-ENOMEM);
 
-	if (!(inode->i_state & I_NEW))
+	if (!(inode->i_state & I_NEW)) {
+		if (UDF_I(inode)->i_hidden != hidden_inode) {
+			iput(inode);
+			return ERR_PTR(-EFSCORRUPTED);
+		}
 		return inode;
+	}
 
 	memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
 	err = udf_read_inode(inode, hidden_inode);
author	Jan Kara <jack@suse.cz>	2023-01-03 10:03:35 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-03-17 08:31:42 +0100
commit	1dc71eeb198a8daa17d0c995998a53b0b749a158 (patch)
tree	62fefd23c8bab7d849df2b747607783660a3228e
parent	ec852375bb9766b0c205fb95fb19b28319655644 (diff)
download	msm-1dc71eeb198a8daa17d0c995998a53b0b749a158.tar.gz