From patchwork Tue Aug 8 11:18:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 109612 Delivered-To: patch@linaro.org Received: by 10.182.109.195 with SMTP id hu3csp3934421obb; Tue, 8 Aug 2017 04:19:44 -0700 (PDT) X-Received: by 10.99.47.66 with SMTP id v63mr3794540pgv.4.1502191184601; Tue, 08 Aug 2017 04:19:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1502191184; cv=none; d=google.com; s=arc-20160816; b=cl0H9XOd4I7n6sb3NsCv+5phLxTmGTUy901YfEwq1b1lK4brz60SXQY49MF8sPijQQ Pem2wsNoEk/IXRG9OINThrNuYrC0F39LM/TdJnIjTAdgp5MerEewebGfsRLNJnvFnzni i5n4oWO1T0HOwR0T8qiMUAgBS7+JtD6NeTE2/CkitAKXUOymsyrkT11FdXmDovI5dHch V+ZNtsW26x1Dxi74ROeR4srJUXKskQksTKbXesy3ypfAbn80dJrsl4FvnZRZSX56NG5d 3zmiFBbtGmqgcp41bmtXS2KXLG+/Mn5Wks4pjvZyurbZCFBAhwkrICRg3NWgDMgKV+az 6cdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=1YFLU8gACjQBs/dOPPigPQsfQcDcNLsz18hPCOW/JAk=; b=O2W3pRx0X3SN0/Lw9DsX8HXvmaBZS/H5gXPsJbJr8uXDcYqVvPA5IYBPlhWp9p2X6O vc38EB4jt/4MF8foc7Sbyj5Dazy2Famn00rqEtR54/Q8/0ljot393vTgzgHxmnU0h9fQ 0hMSJIxWvi2H99NpGPKFyQy+7b8XCl5ZyCceQPum9/92zA2PClpBJY8o3Ts8bF3k1StI G33F2DyEID4duFXaNO5IqbOOKqVwKPBQdA1Bn7DA1MLW00+gr+oTDUX7qF0mogYhQV3p Mj91jiCgecUQ8sS5u6ftTvSTujLwcLNT2XYf0hfxvdXwdfqqkwX2H0O5l1KwjD76iSO0 b57w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=i57ozXsj; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z61si765946plh.711.2017.08.08.04.19.44; Tue, 08 Aug 2017 04:19:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=i57ozXsj; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752459AbdHHLSx (ORCPT + 6 others); Tue, 8 Aug 2017 07:18:53 -0400 Received: from mail-pg0-f50.google.com ([74.125.83.50]:37948 "EHLO mail-pg0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752441AbdHHLSt (ORCPT ); Tue, 8 Aug 2017 07:18:49 -0400 Received: by mail-pg0-f50.google.com with SMTP id l64so13498119pge.5 for ; Tue, 08 Aug 2017 04:18:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=1YFLU8gACjQBs/dOPPigPQsfQcDcNLsz18hPCOW/JAk=; b=i57ozXsjhiUzopHKwn7OC5GjEh9YPTH9A+hnxEbkqoX8SUjD7iIRDKJMMiu91dsn/d GxUEHJzb3Z65EkrYmOETppVtiMw4S2uT95u6qJEOeNzEqYGLKgXYl9A7mzC2hQOupFbS 2L5+WfidzBYZyKRrR+jgq6N5w0NTihf9K7HmQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=1YFLU8gACjQBs/dOPPigPQsfQcDcNLsz18hPCOW/JAk=; b=Swh0Qd8O+0/A1Yw5l6RJ5nmzw574iTsXf8vAhdpKuLp7lV2Te2l2rdzuiFaSIXmSku QsM4yEsrMHCqBJKGby3GaaCAuGTVX9e2y+bCvQGLEjYqrW74Hu9+hHuqUPRqj/XBisnL bU/ZhhNYomKjl/nIEGWiFuRBpJBmYQ6AmyHyz0Bi0svekO7h7Qs+SyxVL301p6JrCr9J xPwjJZ6GbnLWQlKQe0FfCExIoLdF4iv7hpKOdEFChAiUUIJClq2EUE4GSwyvop1cjKPC njEAFdeFVJGPHmO+0jTyQcuyulUtpwieOE1LYt29dIvcAM5HZdix8JSLCkZiQW8aAP4b schA== X-Gm-Message-State: AHYfb5jcMSTqX2M8YOzoFIdKhwQBjcuD2knSS9U+KEosHqhRllsGBYrI wE9S7H/cB6XPisb/IBe/hQ== X-Received: by 10.99.152.9 with SMTP id q9mr3739539pgd.148.1502191128881; Tue, 08 Aug 2017 04:18:48 -0700 (PDT) Received: from localhost.localdomain ([106.51.140.244]) by smtp.gmail.com with ESMTPSA id i4sm2804856pfg.51.2017.08.08.04.18.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 08 Aug 2017 04:18:47 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Jin Qian , Jin Qian , Jaegeuk Kim Subject: [PATCH for-4.4] f2fs: sanity check checkpoint segno and blkoff Date: Tue, 8 Aug 2017 16:48:39 +0530 Message-Id: <1502191120-32023-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1502191120-32023-1-git-send-email-amit.pundir@linaro.org> References: <1502191120-32023-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jin Qian commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a upstream. Make sure segno and blkoff read from raw image are valid. Cc: stable@vger.kernel.org Signed-off-by: Jin Qian [Jaegeuk Kim: adjust minor coding style] Signed-off-by: Jaegeuk Kim [AmitP: Found in Android Security bulletin for Aug'17, fixes CVE-2017-10663] Signed-off-by: Amit Pundir --- fs/f2fs/super.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) -- 2.7.4 diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 86e1cb899957..4f666368aa85 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -1078,6 +1078,8 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi) unsigned int total, fsmeta; struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); + unsigned int main_segs, blocks_per_seg; + int i; total = le32_to_cpu(raw_super->segment_count); fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); @@ -1089,6 +1091,20 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi) if (unlikely(fsmeta >= total)) return 1; + main_segs = le32_to_cpu(raw_super->segment_count_main); + blocks_per_seg = sbi->blocks_per_seg; + + for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg) + return 1; + } + for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg) + return 1; + } + if (unlikely(f2fs_cp_error(sbi))) { f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); return 1;