From: Jan Kara <jack@suse.cz>
Date: Tue, 3 Jan 2023 09:03:35 +0000 (+0100)
Subject: udf: Detect system inodes linked into directory hierarchy
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=85a37983ec69cc9fcd188bc37c4de15ee326355a;p=linux.git

udf: Detect system inodes linked into directory hierarchy

When UDF filesystem is corrupted, hidden system inodes can be linked
into directory hierarchy which is an avenue for further serious
corruption of the filesystem and kernel confusion as noticed by syzbot
fuzzed images. Refuse to access system inodes linked into directory
hierarchy and vice versa.

CC: stable@vger.kernel.org
Reported-by: syzbot+38695a20b8addcbc1084@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
---

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 9ee269d3d5465..96873fa2f6836 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1813,8 +1813,13 @@ struct inode *__udf_iget(struct super_block *sb, struct kernel_lb_addr *ino,
 	if (!inode)
 		return ERR_PTR(-ENOMEM);
 
-	if (!(inode->i_state & I_NEW))
+	if (!(inode->i_state & I_NEW)) {
+		if (UDF_I(inode)->i_hidden != hidden_inode) {
+			iput(inode);
+			return ERR_PTR(-EFSCORRUPTED);
+		}
 		return inode;
+	}
 
 	memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
 	err = udf_read_inode(inode, hidden_inode);