From patchwork Tue Aug 8 11:18:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 109611 Delivered-To: patch@linaro.org Received: by 10.182.109.195 with SMTP id hu3csp3933517obb; Tue, 8 Aug 2017 04:18:55 -0700 (PDT) X-Received: by 10.84.218.2 with SMTP id q2mr4464899pli.320.1502191135808; Tue, 08 Aug 2017 04:18:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1502191135; cv=none; d=google.com; s=arc-20160816; b=lrxwjPSZTKxs73LuwWDoqxaM7CrnMzqt7I4bIW9f+q5iqTdXU2bkWQ03FCBPYkIIDA Ddf5Fqzru+j0mgxD+xzNgu4LHIxFa7cdSq25kPd+MYcHj7BKT7PnWZ+KpCK/G5cdqlOo ZFTCwZ9DSIRoKlgaz/0gxSQkuJJbEjwGV4eRmzhj5q7EtrUneKpZom289sbBNSMaSXbc UppIB2jTm1ZyFr4PkJcJ277j0kT5+UYJsSvpiJsN/q9MEjEiVXf+MmgXRg9WtaASKjLD TiDrqKZMd81LTxi9KpJYnc8CCJfBIh4nC04vBvrtvjJjkXFMeosQR9urjYUf2PxjsVGq o5Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=wx2GB/PeLmCN+69FfcvRx+ZJPEmH+UbRvu0m6xJwFsM=; b=Be/Pe6qa25vUcC4SBuA7o1PoHgZrcMx9RwUTk7ubNAEyzphZ/Xanua6XLyTiP4rkm4 +uaJbmUnBD3sFaoBwmLIbDPIyqyWSJE/8yr1AXW0oBio6+VAjynH8cc4q+B4J8joOKIL p8+og2n1qGYagt7WdWbnWiCSqYAkOp8T6ELMbgDs6/SP8SmtPbTZGjevP3qSGW2qAn/f RCmKwR3ZcywKQvzztUGJCcMMhig6q2p7QQtzHg6ckYodEbnZ8lTLSfMng1Ec412ab/Ms pMe2oPw3SkKQx4Kk+2YutbUES8WAMrJaPN0KBWcYAf3XOpwRDtiJFYJiSKY6eRLsGiFm xvQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GaSpZMOi; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h6si661331pgc.39.2017.08.08.04.18.55; Tue, 08 Aug 2017 04:18:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GaSpZMOi; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752250AbdHHLSy (ORCPT + 6 others); Tue, 8 Aug 2017 07:18:54 -0400 Received: from mail-pf0-f170.google.com ([209.85.192.170]:33341 "EHLO mail-pf0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752014AbdHHLSw (ORCPT ); Tue, 8 Aug 2017 07:18:52 -0400 Received: by mail-pf0-f170.google.com with SMTP id h68so13396946pfk.0 for ; Tue, 08 Aug 2017 04:18:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wx2GB/PeLmCN+69FfcvRx+ZJPEmH+UbRvu0m6xJwFsM=; b=GaSpZMOiAeCIHP7uHDtLNC6LEZN6zOJgiXUEN3rsxgpg/9WapY6kWIM1F5VC0voTsx TfNmt3kswUXGgKY/D0OnykFzwqNsLE+FPFM0eLR5lVeuppl8C7KZRddJZ2wCzPLnW3sw QAwNNaTv/dpBHwoB9iJ2nQosxk1SBeWq58S1s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wx2GB/PeLmCN+69FfcvRx+ZJPEmH+UbRvu0m6xJwFsM=; b=FwAYeliqJfZm7LqZesl14E1mNvZkH3WVdIv1URrOqN77lxMv+wdi55uO4q17514VE8 5PtoaQR12kjCbp45GuC+ICPjGti7hyp7PDA2z+ny2E57cdVE9PgLMIDgPx+mV8In+VlX f10UV41jNVv0a4n8RCuFeNsJWdzvJBsA8a7BxcOhHgj67R4i92szq6nRJ1++f3iqYK98 A05+cx0dyPSFT4QtlkcfBO32eFtX3AAmqEdRNIAb/A0WBw3UqeZN9Q6TIW/qyHu0Fldl X6VoxC6lUIxLlnbTM21CYWAAcFr7HDpvx34vwdw+K4j5uJlg6LGfmot++4IgEA6ngwzE xW0Q== X-Gm-Message-State: AHYfb5hTA6i2FJBeyXwYqQqy79aS0IReTFqzTZRm8f4HrM+x2U7byZOh hWBPrOEPJbcjliEeiqxO3Q== X-Received: by 10.84.216.84 with SMTP id f20mr4321907plj.311.1502191131768; Tue, 08 Aug 2017 04:18:51 -0700 (PDT) Received: from localhost.localdomain ([106.51.140.244]) by smtp.gmail.com with ESMTPSA id i4sm2804856pfg.51.2017.08.08.04.18.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 08 Aug 2017 04:18:50 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Jin Qian , Jin Qian , Jaegeuk Kim Subject: [PATCH for-4.9] f2fs: sanity check checkpoint segno and blkoff Date: Tue, 8 Aug 2017 16:48:40 +0530 Message-Id: <1502191120-32023-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1502191120-32023-1-git-send-email-amit.pundir@linaro.org> References: <1502191120-32023-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jin Qian commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a upstream. Make sure segno and blkoff read from raw image are valid. Cc: stable@vger.kernel.org Signed-off-by: Jin Qian [Jaegeuk Kim: adjust minor coding style] Signed-off-by: Jaegeuk Kim [AmitP: Found in Android Security bulletin for Aug'17, fixes CVE-2017-10663] Signed-off-by: Amit Pundir --- fs/f2fs/super.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) -- 2.7.4 diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 7e0c002c12e9..eb20b8767f3c 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -1424,6 +1424,8 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) unsigned int total, fsmeta; struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); + unsigned int main_segs, blocks_per_seg; + int i; total = le32_to_cpu(raw_super->segment_count); fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); @@ -1435,6 +1437,20 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) if (unlikely(fsmeta >= total)) return 1; + main_segs = le32_to_cpu(raw_super->segment_count_main); + blocks_per_seg = sbi->blocks_per_seg; + + for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg) + return 1; + } + for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg) + return 1; + } + if (unlikely(f2fs_cp_error(sbi))) { f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); return 1;