udf: reject descriptors with oversized CRC length

udf_read_tagged() skips CRC verification when descCRCLength +
sizeof(struct tag) exceeds the block size.  A crafted UDF image can
set descCRCLength to an oversized value to bypass CRC validation
entirely; the descriptor is then accepted based solely on the 8-bit
tag checksum, which is trivially recomputable.

Reject such descriptors instead of silently accepting them.  A
legitimate single-block descriptor should never have a CRC length that
exceeds the block.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index 0788593b6a1d8b8ecf31ac3de1d25b59702239aa..6928e378fbbdcb33fd73764eb52b8b10af3a6422 100644 (file)
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -230,8 +230,12 @@ struct buffer_head *udf_read_tagged(struct super_block *sb, uint32_t block,
        }
 
        /* Verify the descriptor CRC */
-       if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize ||
-           le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
+       if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize) {
+               udf_err(sb, "block %u: CRC length %u exceeds block size\n",
+                       block, le16_to_cpu(tag_p->descCRCLength));
+               goto error_out;
+       }
+       if (le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
                                        bh->b_data + sizeof(struct tag),
                                        le16_to_cpu(tag_p->descCRCLength)))
                return bh;