udf: limit the maximum number of TD redirections

Filesystem fuzzing revealed that we could get stuck in the
udf_process_sequence() loop.

The maximum limit was chosen arbitrarily but fixes the problem I saw.

Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jan Kara <jack@suse.cz>

1 files changed, 14 insertions, 0 deletions

diff --git a/fs/udf/super.c b/fs/udf/super.c
index 81155b9b445b..fd45537eaa01 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1586,6 +1586,13 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_
 }
 
 /*
+ * Maximum number of Terminating Descriptor redirections. The chosen number is
+ * arbitrary - just that we hopefully don't limit any real use of rewritten
+ * inode on write-once media but avoid looping for too long on corrupted media.
+ */
+#define UDF_MAX_TD_NESTING 64
+
+/*
  * Process a main/reserve volume descriptor sequence.
  *   @block             First block of first extent of the sequence.
  *   @lastblock         Lastblock of first extent of the sequence.
@@ -1609,6 +1616,7 @@ static noinline int udf_process_sequence(
         uint16_t ident;
         long next_s = 0, next_e = 0;
         int ret;
+        unsigned int indirections = 0;
 
         memset(vds, 0, sizeof(struct udf_vds_record) * VDS_POS_LENGTH);
 
@@ -1679,6 +1687,12 @@ static noinline int udf_process_sequence(
                         }
                         break;
                 case TAG_IDENT_TD: /* ISO 13346 3/10.9 */
+                        if (++indirections > UDF_MAX_TD_NESTING) {
+                                udf_err(sb, "too many TDs (max %u supported)\n", UDF_MAX_TD_NESTING);
+                                brelse(bh);
+                                return -EIO;
+                        }
+
                         vds[VDS_POS_TERMINATING_DESC].block = block;
                         if (next_e) {
                                 block = next_s;