summaryrefslogtreecommitdiff
path: root/fs/udf/unicode.c
AgeCommit message (Collapse)AuthorFilesLines
2023-08-30udf: Fix uninitialized array access for some pathnamesJan Kara1-1/+1
[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] For filenames that begin with . and are between 2 and 5 characters long, UDF charset conversion code would read uninitialized memory in the output buffer. The only practical impact is that the name may be prepended a "unification hash" when it is not actually needed but still it is good to fix this. Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
2018-12-08udf: Allow mounting volumes with incorrect identification stringsJan Kara1-3/+11
commit b54e41f5efcb4316b2f30b30c2535cc194270373 upstream. Commit c26f6c615788 ("udf: Fix conversion of 'dstring' fields to UTF8") started to be more strict when checking whether converted strings are properly formatted. Sudip reports that there are DVDs where the volume identification string is actually too long - UDF reports: [ 632.309320] UDF-fs: incorrect dstring lengths (32/32) during mount and fails the mount. This is mostly harmless failure as we don't need volume identification (and even less volume set identification) for anything. So just truncate the volume identification string if it is too long and replace it with 'Invalid' if we just cannot convert it for other reasons. This keeps slightly incorrect media still mountable. CC: stable@vger.kernel.org Fixes: c26f6c615788 ("udf: Fix conversion of 'dstring' fields to UTF8") Reported-and-tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-04-24udf: Fix leak of UTF-16 surrogates into encoded stringsJan Kara1-0/+6
commit 44f06ba8297c7e9dfd0e49b40cbe119113cca094 upstream. OSTA UDF specification does not mention whether the CS0 charset in case of two bytes per character encoding should be treated in UTF-16 or UCS-2. The sample code in the standard does not treat UTF-16 surrogates in any special way but on systems such as Windows which work in UTF-16 internally, filenames would be treated as being in UTF-16 effectively. In Linux it is more difficult to handle characters outside of Base Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte characters only. Just make sure we don't leak UTF-16 surrogates into the resulting string when loading names from the filesystem for now. CC: stable@vger.kernel.org # >= v4.6 Reported-by: Mingye Wang <arthur200126@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-04-25udf: Fix conversion of 'dstring' fields to UTF8Andrew Gabbasov1-2/+14
Commit 9293fcfbc1812a22ad5ce1b542eb90c1bbe01be1 ("udf: Remove struct ustr as non-needed intermediate storage"), while getting rid of 'struct ustr', does not take any special care of 'dstring' fields and effectively use fixed field length instead of actual string length, encoded in the last byte of the field. Also, commit 484a10f49387e4386bf2708532e75bf78ffea2cb ("udf: Merge linux specific translation into CS0 conversion function") introduced checking of the length of the string being converted, requiring proper alignment to number of bytes constituing each character. The UDF volume identifier is represented as a 32-bytes 'dstring', and needs to be converted from CS0 to UTF8, while mounting UDF filesystem. The changes in mentioned commits can in some cases lead to incorrect handling of volume identifier: - if the actual string in 'dstring' is of maximal length and does not have zero bytes separating it from dstring encoded length in last byte, that last byte may be included in conversion, thus making incorrect resulting string; - if the identifier is encoded with 2-bytes characters (compression code is 16), the length of 31 bytes (32 bytes of field length minus 1 byte of compression code), taken as the string length, is reported as an incorrect (unaligned) length, and the conversion fails, which in its turn leads to volume mounting failure. This patch introduces handling of 'dstring' encoded length field in udf_CS0toUTF8 function, that is used in all and only cases when 'dstring' fields are converted. Currently these cases are processing of Volume Identifier and Volume Set Identifier fields. The function is also renamed to udf_dstrCS0toUTF8 to distinctly indicate that it handles 'dstring' input. Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2016-02-09udf: Merge linux specific translation into CS0 conversion functionAndrew Gabbasov1-128/+152
Current implementation of udf_translate_to_linux function does not support multi-bytes characters at all: it counts bytes while calculating extension length, when inserting CRC inside the name it doesn't take into account inter-character boundaries and can break into the middle of the character. The most efficient way to properly support multi-bytes characters is merging of translation operations directly into conversion function. This can help to avoid extra passes along the string or parsing the multi-bytes character back into unicode to find out it's length. Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2016-02-09udf: Remove struct ustr as non-needed intermediate storageAndrew Gabbasov1-101/+45
Although 'struct ustr' tries to structurize the data by combining the string and its length, it doesn't actually make much benefit, since it saves only one parameter, but introduces an extra copying of the whole buffer, serving as an intermediate storage. It looks quite inefficient and not actually needed. This commit gets rid of the struct ustr by changing the parameters of some functions appropriately. Also, it removes using 'dstring' type, since it doesn't make much sense too. Just using the occasion, add a 'const' qualifier to udf_get_filename to make consistent parameters sets. Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2016-02-09udf: Adjust UDF_NAME_LEN to better reflect actual restrictionsAndrew Gabbasov1-3/+3
Actual name length restriction is 254 bytes, this is used in 'ustr' structure, and this is what fits into UDF File Ident structures. And in most cases the constant is used as UDF_NAME_LEN-2. So, it's better to just modify the constant to make it closer to reality. Also, in some cases it's useful to have a separate constant for the maximum length of file name field in CS0 encoding in UDF File Ident structures. Also, remove the unused UDF_PATH_LEN constant. Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2016-02-09udf: Join functions for UTF8 and NLS conversionsAndrew Gabbasov1-188/+90
There is no much sense to have separate functions for UTF8 and NLS conversions, since UTF8 encoding is actually the special case of NLS. However, although UTF8 is also supported by general NLS framework, it would be good to have separate UTF8 character conversion functions (char2uni and uni2char) locally in UDF code, so that they could be used even if NLS support is not enabled in the kernel configuration. Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2016-02-09udf: Parameterize output length in udf_put_filenameAndrew Gabbasov1-5/+5
Make the desired output length a parameter rather than have it hard-coded to UDF_NAME_LEN. Although all call sites still have this length the same, this parameterization will make the function more universal and also consistent with udf_get_filename. Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2016-01-04udf: Check output buffer length when converting name to CS0Andrew Gabbasov1-2/+13
If a name contains at least some characters with Unicode values exceeding single byte, the CS0 output should have 2 bytes per character. And if other input characters have single byte Unicode values, then the single input byte is converted to 2 output bytes, and the length of output becomes larger than the length of input. And if the input name is long enough, the output length may exceed the allocated buffer length. All this means that conversion from UTF8 or NLS to CS0 requires checking of output length in order to stop when it exceeds the given output buffer size. [JK: Make code return -ENAMETOOLONG instead of silently truncating the name] CC: stable@vger.kernel.org Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2016-01-04udf: Prevent buffer overrun with multi-byte charactersAndrew Gabbasov1-1/+5
udf_CS0toUTF8 function stops the conversion when the output buffer length reaches UDF_NAME_LEN-2, which is correct maximum name length, but, when checking, it leaves the space for a single byte only, while multi-bytes output characters can take more space, causing buffer overflow. Similar error exists in udf_CS0toNLS function, that restricts the output length to UDF_NAME_LEN, while actual maximum allowed length is UDF_NAME_LEN-2. In these cases the output can override not only the current buffer length field, causing corruption of the name buffer itself, but also following allocation structures, causing kernel crash. Adjust the output length checks in both functions to prevent buffer overruns in case of multi-bytes UTF8 or NLS characters. CC: stable@vger.kernel.org Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com> Signed-off-by: Jan Kara <jack@suse.cz>
2015-05-18udf: Make udf_get_filename() return error instead of 0 length file nameFabian Frederick1-1/+4
Zero length file name isn't really valid. So check the length of the final file name generated by udf_translate_to_linux() and return -EINVAL instead of zero length file name. Update caller of udf_get_filename() to not check for 0 return value. Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz>
2015-05-18udf: bug on exotic flag in udf_get_filename()Fabian Frederick1-1/+1
UDF volume is only mounted with UDF_FLAG_UTF8 or UDF_FLAG_NLS_MAP (see fill udf_fill_super(). BUG() if we have something different in udf_get_filename() Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz>
2015-05-18udf: improve error management in udf_CS0toNLS()Fabian Frederick1-3/+4
Only callsite udf_get_filename() now returns error code as well. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz>
2015-05-18udf: improve error management in udf_CS0toUTF8()Fabian Frederick1-3/+4
udf_CS0toUTF8() now returns -EINVAL on error. udf_load_pvoldesc() and udf_get_filename() do the same. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz>
2015-05-18udf: unicode: update function name in commentsFabian Frederick1-2/+2
Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz>
2015-05-18udf: remove unnecessary test in udf_build_ustr_exact()Fabian Frederick1-9/+5
We can remove parameter checks: udf_build_ustr_exact() is only called by udf_get_filename() which now assures dest is not NULL udf_find_entry() and udf_readdir() call udf_get_filename() after checking sname udf_symlink_filler() calls udf_pc_to_char() with sname=kmap(page). udf_find_entry() and udf_readdir() call udf_get_filename with UDF_NAME_LEN udf_pc_to_char() with PAGE_SIZE Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz>
2015-05-18udf: Return -ENOMEM when allocation fails in udf_get_filename()Fabian Frederick1-5/+7
Return -ENOMEM when allocation fails in udf_get_filename(). Update udf_pc_to_char(), udf_readdir(), and udf_find_entry() to handle the error appropriately. This allows us to pass appropriate error to userspace instead of corrupting symlink contents by omitting some path elements. Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz>
2014-12-19udf: Check path length when reading symlinkJan Kara1-12/+16
Symlink reading code does not check whether the resulting path fits into the page provided by the generic code. This isn't as easy as just checking the symlink size because of various encoding conversions we perform on path. So we have to check whether there is still enough space in the buffer on the fly. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> Signed-off-by: Jan Kara <jack@suse.cz>
2014-07-16fs/udf: re-use hex_asc_upper_{hi,lo} macrosAndy Shevchenko1-5/+4
This patch cleans up udf_translate_to_linux() a bit by using globally defined macros instead of custom code. We can use sprintf(buf, "%04X", ...) there as well, but this one faster. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Jan Kara <jack@suse.cz>
2011-11-01udf: Convert printks to pr_<level>Joe Perches1-3/+3
Use the current logging styles. Convert a few printks that should have been udf_warn and udf_err. Coalesce formats. Add #define pr_fmt. Move an #include "udfdecls.h" above other includes in udftime.c so pr_fmt works correctly. Strip prefixes from conversions as appropriate. Reorder logging definitions in udfdecl.h Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Jan Kara <jack@suse.cz>
2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking ↵Tejun Heo1-0/+1
implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2009-04-02udf: Fix oops when invalid character in filename occursJan Kara1-5/+16
Functions udf_CS0toNLS() and udf_NLStoCS0() didn't count with the fact that NLS can return negative length when invalid character is given to it for conversion. Thus interesting things could happen (such as overwriting random memory with the rest of filename). Add appropriate checks. Signed-off-by: Jan Kara <jack@suse.cz>
2009-04-02udf: reduce stack usage of udf_get_filenameMarcin Slusarz1-16/+25
Allocate strings with kmalloc. Checkstack output: Before: udf_get_filename: 600 After: udf_get_filename: 136 Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Cc: Jan Kara <jack@suse.cz> Signed-off-by: Jan Kara <jack@suse.cz>
2008-04-17udf: use crc_itu_t from lib instead of udf_crcBob Copeland1-1/+2
As pointed out by Sergey Vlasov, UDF implements its own version of the CRC ITU-T V.41. Convert it to use the one in the library. Signed-off-by: Bob Copeland <me@bobcopeland.com> Cc: Sergey Vlasov <vsu@altlinux.ru> Signed-off-by: Jan Kara <jack@suse.cz>
2008-04-17udf: udf_CS0toNLS cleanupmarcin.slusarz@gmail.com1-11/+8
- fix error handling - always zero output variable - don't zero explicitely fields zeroed by memset - mark "in" paramater as const Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
2008-04-17udf: fix udf_build_ustrMarcin Slusarz1-5/+7
udf_build_ustr was broken: - size == 1: dest->u_len = ptr[1 - 1], but at ptr[0] there's cmpID, so we created string with wrong length it should not happen, so we BUG() it - size > 1 and size < UDF_NAME_LEN: we set u_len correctly, but memcpy copied one needless byte - size == UDF_NAME_LEN - 1: memcpy overwrited u_len - with correct value, but... - size >= UDF_NAME_LEN: we copied UDF_NAME_LEN - 1 bytes, but dest->u_name is array of UDF_NAME_LEN - 2 bytes, so we were overwriting u_len with character from input string nobody noticed because all callers set size to acceptable values (constants within range) Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
2008-04-17udf: udf_CS0toUTF8 cleanupmarcin.slusarz@gmail.com1-17/+10
- fix error handling - always zero output variable - don't zero explicitely fields zeroed by memset - mark "in" paramater as const - remove outdated comment Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
2008-04-17udf: move headers out include/linux/Christoph Hellwig1-1/+0
There's really no reason to keep udf headers in include/linux as they're not used by anything but fs/udf/. This patch merges most of include/linux/udf_fs_i.h into fs/udf/udf_i.h, include/linux/udf_fs_sb.h into fs/udf/udf_sb.h and include/linux/udf_fs.h into fs/udf/udfdecl.h. The only thing remaining in include/linux/ is a stub of udf_fs_i.h defining the four user-visible udf ioctls. It's also moved from unifdef-y to headers-y because it can be included unconditionally now. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jan Kara <jack@suse.cz>
2008-02-08udf: fix coding styleMarcin Slusarz1-39/+46
fix coding style errors found by checkpatch: - assignments in if conditions - braces {} around single statement blocks - no spaces after commas - printks without KERN_* - lines longer than 80 characters - spaces between "type *" and variable name before: 192 errors, 561 warnings, 8987 lines checked after: 1 errors, 38 warnings, 9468 lines checked Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Cc: Jan Kara <jack@suse.cz> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-22UDF: coding style conversion - lindent fixupsCyrill Gorcunov1-82/+73
This patch fixes up sources after conversion by Lindent. Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> Cc: Jan Kara <jack@ucw.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-19UDF: coding style conversion - lindentCyrill Gorcunov1-164/+135
This patch converts UDF coding style to kernel coding style using Lindent. Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> Cc: Jan Kara <jack@ucw.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2006-01-03remove pointers to the defunct UDF mailing listAdrian Bunk1-5/+0
This patch removes pointers to the defunct UDF mailing list. Signed-off-by: Adrian Bunk <bunk@stusta.de>
2005-04-17Linux-2.6.12-rc2v2.6.12-rc2Linus Torvalds1-0/+516
Initial git repository build. I'm not bothering with the full history, even though we have it. We can create a separate "historical" git archive of that later if we want to, and in the meantime it's about 3.2GB when imported into git - space that would just make the early git days unnecessarily complicated, when we don't have a lot of good infrastructure for it. Let it rip!