2019-09-17 09:38:20

by Sahitya Tummala

[permalink] [raw]
Subject: [PATCH] f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()

end = range.start + range.len;

If the range.start/range.len is a very large value, then end can overflow
in this operation. It results into a crash in get_valid_blocks() when
accessing the invalid range.start segno.

This issue is reported in ioctl fuzz testing.

Signed-off-by: Sahitya Tummala <[email protected]>
---
fs/f2fs/file.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 5474aaa..c2b4767 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2123,9 +2123,8 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg)
return -EROFS;

end = range.start + range.len;
- if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) {
+ if (end < range.start || range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi))
return -EINVAL;
- }

ret = mnt_want_write_file(filp);
if (ret)
--
Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.


2019-09-17 15:53:53

by Chao Yu

[permalink] [raw]
Subject: Re: [PATCH] f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()

On 2019/9/17 12:49, Sahitya Tummala wrote:
> end = range.start + range.len;
>
> If the range.start/range.len is a very large value, then end can overflow
> in this operation. It results into a crash in get_valid_blocks() when
> accessing the invalid range.start segno.
>
> This issue is reported in ioctl fuzz testing.
>
> Signed-off-by: Sahitya Tummala <[email protected]>

Reviewed-by: Chao Yu <[email protected]>

Thanks,