udf: Detect system inodes linked into directory hierarchy

When UDF filesystem is corrupted, hidden system inodes can be linked into directory hierarchy which is an avenue for further serious corruption of the filesystem and kernel confusion as noticed by syzbot fuzzed images. Refuse to access system inodes linked into directory hierarchy and vice versa. CC: stable@vger.kernel.org Reported-by: syzbot+38695a20b8addcbc1084@syzkaller.appspotmail.com Signed-off-by: Jan Kara <jack@suse.cz>
author: Jan Kara <jack@suse.cz> 2023-01-03 10:03:35 +0100
committer: Jan Kara <jack@suse.cz> 2023-01-09 10:39:53 +0100
commit: 85a37983ec69cc9fcd188bc37c4de15ee326355a (patch)
tree: 65435e3e1f74585720820943721671505a43e478
parent: fc8033a34a3ca7d23353e645e6dde5d364ac5f12 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 9ee269d3d546..96873fa2f683 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1813,8 +1813,13 @@ struct inode *__udf_iget(struct super_block *sb, struct kernel_lb_addr *ino,
 	if (!inode)
 		return ERR_PTR(-ENOMEM);
 
-	if (!(inode->i_state & I_NEW))
+	if (!(inode->i_state & I_NEW)) {
+		if (UDF_I(inode)->i_hidden != hidden_inode) {
+			iput(inode);
+			return ERR_PTR(-EFSCORRUPTED);
+		}
 		return inode;
+	}
 
 	memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
 	err = udf_read_inode(inode, hidden_inode);
author	Jan Kara <jack@suse.cz>	2023-01-03 10:03:35 +0100
committer	Jan Kara <jack@suse.cz>	2023-01-09 10:39:53 +0100
commit	85a37983ec69cc9fcd188bc37c4de15ee326355a (patch)
tree	65435e3e1f74585720820943721671505a43e478
parent	fc8033a34a3ca7d23353e645e6dde5d364ac5f12 (diff)