tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

udf: reject descriptors with oversized CRC length

udf_read_tagged() skips CRC verification when descCRCLength +
sizeof(struct tag) exceeds the block size. A crafted UDF image can
set descCRCLength to an oversized value to bypass CRC validation
entirely; the descriptor is then accepted based solely on the 8-bit
tag checksum, which is trivially recomputable.

Reject such descriptors instead of silently accepting them. A
legitimate single-block descriptor should never have a CRC length that
exceeds the block.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>

authored by

Michael Bommarito and committed by
Jan Kara 55d41b0a cc85e337

+6 -2
+6 -2
fs/udf/misc.c
··· 230 230 } 231 231 232 232 /* Verify the descriptor CRC */ 233 - if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize || 234 - le16_to_cpu(tag_p->descCRC) == crc_itu_t(0, 233 + if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize) { 234 + udf_err(sb, "block %u: CRC length %u exceeds block size\n", 235 + block, le16_to_cpu(tag_p->descCRCLength)); 236 + goto error_out; 237 + } 238 + if (le16_to_cpu(tag_p->descCRC) == crc_itu_t(0, 235 239 bh->b_data + sizeof(struct tag), 236 240 le16_to_cpu(tag_p->descCRCLength))) 237 241 return bh;