git.ipfire.org Git - thirdparty/linux.git/commit

author	Michael Bommarito <michael.bommarito@gmail.com>
	Mon, 13 Apr 2026 21:12:40 +0000 (17:12 -0400)
committer	Jan Kara <jack@suse.cz>
	Wed, 22 Apr 2026 15:14:48 +0000 (17:14 +0200)
commit	55d41b0a20128e86b9e960dd2e3f0a2d69a18df7
tree	b687dc269849fdd3f60c4ec478da746d13305836	tree \| snapshot
parent	cc85e337278001c325afecfbc9a739a3b1b205f2	commit \| diff

udf: reject descriptors with oversized CRC length

udf_read_tagged() skips CRC verification when descCRCLength +
sizeof(struct tag) exceeds the block size. A crafted UDF image can
set descCRCLength to an oversized value to bypass CRC validation
entirely; the descriptor is then accepted based solely on the 8-bit
tag checksum, which is trivially recomputable.

Reject such descriptors instead of silently accepting them. A
legitimate single-block descriptor should never have a CRC length that
exceeds the block.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>