udf: fix uninit-value use in udf_get_fileshortad

Check for overflow when computing alen in udf_current_aext to mitigate
later uninit-value use in udf_get_fileshortad KMSAN bug[1].
After applying the patch reproducer did not trigger any issue[2].

[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000

Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
Suggested-by: Jan Kara <jack@suse.com>
Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 75c8cccfebd40b9dcc6f2ac0f1f9cf89cb4c0b5d..70c907fe8af9eb742e510163f1c23c54b87a2108 100644 (file)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2255,12 +2255,15 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos,
                alen = udf_file_entry_alloc_offset(inode) +
                                                        iinfo->i_lenAlloc;
        } else {
+               struct allocExtDesc *header =
+                       (struct allocExtDesc *)epos->bh->b_data;
+
                if (!epos->offset)
                        epos->offset = sizeof(struct allocExtDesc);
                ptr = epos->bh->b_data + epos->offset;
-               alen = sizeof(struct allocExtDesc) +
-                       le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)->
-                                                       lengthAllocDescs);
+               if (check_add_overflow(sizeof(struct allocExtDesc),
+                               le32_to_cpu(header->lengthAllocDescs), &alen))
+                       return -1;
        }
 
        switch (iinfo->i_alloc_type) {