udf: Verify partition map count

Verify that number of partition maps isn't insanely high which can lead
to large allocation in udf_sb_alloc_partition_maps(). All partition maps
have to fit in the LVD which is in a single block.

Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/udf/super.c b/fs/udf/super.c
index 1c8a736b33097e1b6aa3d26ba35a822de8969d56..b2f168b0a0d18ef51692094c1de3aafca74b6d96 100644 (file)
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1440,7 +1440,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
        struct genericPartitionMap *gpm;
        uint16_t ident;
        struct buffer_head *bh;
-       unsigned int table_len;
+       unsigned int table_len, part_map_count;
        int ret;
 
        bh = udf_read_tagged(sb, block, block, &ident);
@@ -1461,7 +1461,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
                                           "logical volume");
        if (ret)
                goto out_bh;
-       ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+
+       part_map_count = le32_to_cpu(lvd->numPartitionMaps);
+       if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) {
+               udf_err(sb, "error loading logical volume descriptor: "
+                       "Too many partition maps (%u > %u)\n", part_map_count,
+                       table_len / (unsigned)sizeof(struct genericPartitionMap1));
+               ret = -EIO;
+               goto out_bh;
+       }
+       ret = udf_sb_alloc_partition_maps(sb, part_map_count);
        if (ret)
                goto out_bh;