linux.git/fs/udf/unicode.c, branch v4.5 Linux kernel source tree udf: Check output buffer length when converting name to CS0 2016-01-04T14:57:49+00:00 Andrew Gabbasov andrew_gabbasov@mentor.com 2015-12-24T16:25:33+00:00 bb00c898ad1ce40c4bb422a8207ae562e9aea7ae If a name contains at least some characters with Unicode values exceeding single byte, the CS0 output should have 2 bytes per character. And if other input characters have single byte Unicode values, then the single input byte is converted to 2 output bytes, and the length of output becomes larger than the length of input. And if the input name is long enough, the output length may exceed the allocated buffer length. All this means that conversion from UTF8 or NLS to CS0 requires checking of output length in order to stop when it exceeds the given output buffer size. [JK: Make code return -ENAMETOOLONG instead of silently truncating the name] CC: stable@vger.kernel.org Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz> 
If a name contains at least some characters with Unicode values
exceeding single byte, the CS0 output should have 2 bytes per character.
And if other input characters have single byte Unicode values, then
the single input byte is converted to 2 output bytes, and the length
of output becomes larger than the length of input. And if the input
name is long enough, the output length may exceed the allocated buffer
length.

All this means that conversion from UTF8 or NLS to CS0 requires
checking of output length in order to stop when it exceeds the given
output buffer size.

[JK: Make code return -ENAMETOOLONG instead of silently truncating the
name]

CC: stable@vger.kernel.org
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Prevent buffer overrun with multi-byte characters 2016-01-04T13:30:43+00:00 Andrew Gabbasov andrew_gabbasov@mentor.com 2015-12-24T16:25:32+00:00 ad402b265ecf6fa22d04043b41444cdfcdf4f52d udf_CS0toUTF8 function stops the conversion when the output buffer length reaches UDF_NAME_LEN-2, which is correct maximum name length, but, when checking, it leaves the space for a single byte only, while multi-bytes output characters can take more space, causing buffer overflow. Similar error exists in udf_CS0toNLS function, that restricts the output length to UDF_NAME_LEN, while actual maximum allowed length is UDF_NAME_LEN-2. In these cases the output can override not only the current buffer length field, causing corruption of the name buffer itself, but also following allocation structures, causing kernel crash. Adjust the output length checks in both functions to prevent buffer overruns in case of multi-bytes UTF8 or NLS characters. CC: stable@vger.kernel.org Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz> 
udf_CS0toUTF8 function stops the conversion when the output buffer
length reaches UDF_NAME_LEN-2, which is correct maximum name length,
but, when checking, it leaves the space for a single byte only,
while multi-bytes output characters can take more space, causing
buffer overflow.

Similar error exists in udf_CS0toNLS function, that restricts
the output length to UDF_NAME_LEN, while actual maximum allowed
length is UDF_NAME_LEN-2.

In these cases the output can override not only the current buffer
length field, causing corruption of the name buffer itself, but also
following allocation structures, causing kernel crash.

Adjust the output length checks in both functions to prevent buffer
overruns in case of multi-bytes UTF8 or NLS characters.

CC: stable@vger.kernel.org
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Make udf_get_filename() return error instead of 0 length file name 2015-05-18T09:23:06+00:00 Fabian Frederick fabf@skynet.be 2015-04-08T19:23:57+00:00 6ce638367382ea8015cf64619e9bca4e207ef36f Zero length file name isn't really valid. So check the length of the final file name generated by udf_translate_to_linux() and return -EINVAL instead of zero length file name. Update caller of udf_get_filename() to not check for 0 return value. Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> 
Zero length file name isn't really valid. So check the length of the
final file name generated by udf_translate_to_linux() and return -EINVAL
instead of zero length file name. Update caller of udf_get_filename() to
not check for 0 return value.

Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: bug on exotic flag in udf_get_filename() 2015-05-18T09:23:06+00:00 Fabian Frederick fabf@skynet.be 2015-04-08T19:23:56+00:00 5dce54b71e6185dae07ad12ca17ce30aa64022cd UDF volume is only mounted with UDF_FLAG_UTF8 or UDF_FLAG_NLS_MAP (see fill udf_fill_super(). BUG() if we have something different in udf_get_filename() Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> 
UDF volume is only mounted with UDF_FLAG_UTF8
or UDF_FLAG_NLS_MAP (see fill udf_fill_super().
BUG() if we have something different in udf_get_filename()

Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: improve error management in udf_CS0toNLS() 2015-05-18T09:23:05+00:00 Fabian Frederick fabf@skynet.be 2015-04-08T19:23:55+00:00 78fc2e694f35d1d027448e5b7641f32719073320 Only callsite udf_get_filename() now returns error code as well. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> 
Only callsite udf_get_filename() now returns error code as well.

Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: improve error management in udf_CS0toUTF8() 2015-05-18T09:23:05+00:00 Fabian Frederick fabf@skynet.be 2015-04-08T19:23:54+00:00 e9d4cf411f7582537ed0038d0f32a8743b75e58a udf_CS0toUTF8() now returns -EINVAL on error. udf_load_pvoldesc() and udf_get_filename() do the same. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> 
udf_CS0toUTF8() now returns -EINVAL on error.
udf_load_pvoldesc() and udf_get_filename() do the same.

Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: unicode: update function name in comments 2015-05-18T09:23:04+00:00 Fabian Frederick fabf@skynet.be 2015-04-08T19:23:53+00:00 d67e4a481425106a43c8d3cef82a82cc31b4edd8 Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> 
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: remove unnecessary test in udf_build_ustr_exact() 2015-05-18T09:23:04+00:00 Fabian Frederick fabf@skynet.be 2015-04-08T19:23:52+00:00 31f2566f33a6a25ac0baf402316e37e76632445f We can remove parameter checks: udf_build_ustr_exact() is only called by udf_get_filename() which now assures dest is not NULL udf_find_entry() and udf_readdir() call udf_get_filename() after checking sname udf_symlink_filler() calls udf_pc_to_char() with sname=kmap(page). udf_find_entry() and udf_readdir() call udf_get_filename with UDF_NAME_LEN udf_pc_to_char() with PAGE_SIZE Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> 
We can remove parameter checks:

udf_build_ustr_exact() is only called by udf_get_filename()
which now assures dest is not NULL

udf_find_entry() and udf_readdir() call udf_get_filename()
after checking sname
udf_symlink_filler() calls udf_pc_to_char() with sname=kmap(page).

udf_find_entry() and udf_readdir() call udf_get_filename with UDF_NAME_LEN
udf_pc_to_char() with PAGE_SIZE

Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Return -ENOMEM when allocation fails in udf_get_filename() 2015-05-18T09:23:03+00:00 Fabian Frederick fabf@skynet.be 2015-04-08T19:23:51+00:00 5ceb8b554dcaaf6844415cd2616ce2e0132530fa Return -ENOMEM when allocation fails in udf_get_filename(). Update udf_pc_to_char(), udf_readdir(), and udf_find_entry() to handle the error appropriately. This allows us to pass appropriate error to userspace instead of corrupting symlink contents by omitting some path elements. Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> 
Return -ENOMEM when allocation fails in udf_get_filename(). Update
udf_pc_to_char(), udf_readdir(), and udf_find_entry() to handle the
error appropriately. This allows us to pass appropriate error to
userspace instead of corrupting symlink contents by omitting some path
elements.

Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Check path length when reading symlink 2014-12-19T13:12:08+00:00 Jan Kara jack@suse.cz 2014-12-18T21:37:50+00:00 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 Symlink reading code does not check whether the resulting path fits into the page provided by the generic code. This isn't as easy as just checking the symlink size because of various encoding conversions we perform on path. So we have to check whether there is still enough space in the buffer on the fly. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> Signed-off-by: Jan Kara <jack@suse.cz> 
Symlink reading code does not check whether the resulting path fits into
the page provided by the generic code. This isn't as easy as just
checking the symlink size because of various encoding conversions we
perform on path. So we have to check whether there is still enough space
in the buffer on the fly.

CC: stable@vger.kernel.org
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>