f2fs: avoid out-of-range memory access [Linux 4.9.187]

This Linux kernel change "f2fs: avoid out-of-range memory access" is included in the Linux 4.9.187 release. This change is authored by Ocean Chen <oceanchen [at] google.com> on Mon Jul 8 12:34:56 2019 +0800. The commit for this change in Linux stable tree is dd1fc2c (patch) which is from upstream commit 56f3ce6. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 56f3ce6.

f2fs: avoid out-of-range memory access

[ Upstream commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a ]

blkoff_off might over 512 due to fs corrupt or security
vulnerability. That should be checked before being using.

Use ENTRIES_IN_SUM to protect invalid value in cur_data_blkoff.

Signed-off-by: Ocean Chen <[email protected]>
Reviewed-by: Chao Yu <[email protected]>
Signed-off-by: Jaegeuk Kim <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>

There are 5 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 fs/f2fs/segment.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 2fb99a0..c983f7d 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -1709,6 +1709,11 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi)
        seg_i = CURSEG_I(sbi, i);
        segno = le32_to_cpu(ckpt->cur_data_segno[i]);
        blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]);
+       if (blk_off > ENTRIES_IN_SUM) {
+           f2fs_bug_on(sbi, 1);
+           f2fs_put_page(page, 1);
+           return -EFAULT;
+       }
        seg_i->next_segno = segno;
        reset_curseg(sbi, i, 0);
        seg_i->alloc_type = ckpt->alloc_type[i];

Leave a Reply

Your email address will not be published. Required fields are marked *