Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3224941imu; Sat, 24 Nov 2018 00:31:09 -0800 (PST) X-Google-Smtp-Source: AJdET5c5+8vkkfFlqh175j7XYsF4iwjxDcCJZqsuj9uygRyC/bxkOxQSEbMgAaWK/WeZcA2FWLoj X-Received: by 2002:a62:9111:: with SMTP id l17mr19205260pfe.200.1543048269313; Sat, 24 Nov 2018 00:31:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543048269; cv=none; d=google.com; s=arc-20160816; b=KjXm/c1aOMcorv2uXhmnwtmiZW+jBD/lautqG+hzDr7Q6pCok562Qjbx1Pao7Fq/1H l7mOoolhCU2p6EPjwor+URRMZywIOmcdSj9O+F3uTp1wqFs1J8v/1Guxtsrf0ZrbAKgW W4ModrdCv2WweSSgspK+q7UnuSkKJe3RZBhTH11GhTAhuHMgm+k0QcKe2aj7eNYI1rzb nhr3WyIEO+uNw0X4Mq60slu5S7s1u3UeaZScTzM4dspzDN/om9BTcDZDbdYMWcUVMb3o 3h2s6Tqq+bPnTSs6DAC/mHfgavXna3exdMLBYsXBDIHwS8F2wOOhE0dnBfX89wx6u/yl QfQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:cc:references:to:subject; bh=Mo8gmKwhMZHQh7nv2+OGSsfjS5GfiqZqOotxR8MGF3U=; b=qFLTClo2HYFKgQE+UCrzBnlntN2izKER5bjPeJuwQ6Ck+MqFhgLhWDq8MlLvs7qFGc lVXj62Ud5nFN14t/kCxz3+lzZRhHamXypTWsbK1QE4ubT9vw2jGhLDU5YmWvb61RZ8G4 /nCai5XznbbB/mx+uXLg0D+4Zf9YyX3JGNSfIaslpzVjmep7MhUEnMW6l0V2u++4EtRZ qsG0RhQQwC7Aj/fmlnrqhTG2/Ynx3MdoVt8rwbGcukUgXIsLV9E1XaLGQnvXsAAkjSwW P0aRJwpmV2+iPVE8yCzvbaGs+TbMtW2EzjRoWan6JqztRg+Fl85E44rWtwZVywojQoZc dFig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4si8572363pgg.492.2018.11.24.00.30.54; Sat, 24 Nov 2018 00:31:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2504131AbeKWWz3 (ORCPT + 99 others); Fri, 23 Nov 2018 17:55:29 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:35585 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2388020AbeKWWz3 (ORCPT ); Fri, 23 Nov 2018 17:55:29 -0500 Received: from DGGEMS410-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id ED7239242D802; Fri, 23 Nov 2018 20:11:23 +0800 (CST) Received: from [127.0.0.1] (10.111.221.165) by DGGEMS410-HUB.china.huawei.com (10.3.19.210) with Microsoft SMTP Server id 14.3.408.0; Fri, 23 Nov 2018 20:11:16 +0800 Subject: Re: [f2fs-dev] [PATCH] f2fs: check memory boundary by insane namelen To: Jaegeuk Kim , , References: <20181115075040.83500-1-jaegeuk@kernel.org> CC: "gongchen (E)" From: Sheng Yong Message-ID: <3d213d40-a4b0-6e60-87b2-81e66866ac4c@huawei.com> Date: Fri, 23 Nov 2018 20:11:15 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 In-Reply-To: <20181115075040.83500-1-jaegeuk@kernel.org> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.111.221.165] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Jaegeuk and Chao, On 2018/11/15 15:50, Jaegeuk Kim wrote: > If namelen is corrupted to have very long value, fill_dentries can copy > wrong memory area. > Is there any scenario that could hit this corruption? Or this is triggered by fuzzing injection? thanks, Sheng Yong > Signed-off-by: Jaegeuk Kim > --- > fs/f2fs/dir.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c > index bacc667950b6..c0c845da12fa 100644 > --- a/fs/f2fs/dir.c > +++ b/fs/f2fs/dir.c > @@ -808,6 +808,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, > de_name.name = d->filename[bit_pos]; > de_name.len = le16_to_cpu(de->name_len); > > + /* check memory boundary before moving forward */ > + bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); > + if (unlikely(bit_pos > d->max)) { > + f2fs_msg(sbi->sb, KERN_WARNING, > + "%s: corrupted namelen=%d, run fsck to fix.", > + __func__, le16_to_cpu(de->name_len)); > + set_sbi_flag(sbi, SBI_NEED_FSCK); > + err = -EINVAL; > + goto out; > + } > + > if (f2fs_encrypted_inode(d->inode)) { > int save_len = fstr->len; > > @@ -830,7 +841,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, > if (readdir_ra) > f2fs_ra_node_page(sbi, le32_to_cpu(de->ino)); > > - bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); > ctx->pos = start_pos + bit_pos; > } > out: >