Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5431507ybi;
        Wed, 12 Jun 2019 02:21:30 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzcDeBc8t/nS6+8pm252bxucpJofhrWlGszKaW0i8QrArMJA172LeZQvLg+iyKq+nHlFSY1
X-Received: by 2002:a17:90a:de08:: with SMTP id m8mr31796993pjv.18.1560331289998;
        Wed, 12 Jun 2019 02:21:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560331289; cv=none;
        d=google.com; s=arc-20160816;
        b=sPABP2+6GJH+HKWSSJuYTYlZz4BIzSF/20gxch2ElAGodvaCrWR6z4QEchMvPQQwSm
         XDrDGCRvg9/M9fpTMfXKIyO6UZinwvfIgKzruB4Rgso2y6wSEf5FZMnRbZy2SAzSZypV
         75WtFas8+2qBLACAX9WfBngqE195bRLoDoYJF5gVOUn3oov1YtoiCfC1+p8080ryGiaj
         wNFd61wQ7rLK9pm9CLf4+aPJZQ+SqAsFIIupbvs1YvyZCE/qtmCW26gsCcQQozwLhEAL
         bpepqORmWLCS3GpAGcRr+3k9L51HZjYYmTYWhec+i8ffv3Iv9mfL8e2VN0GqE9/itKpU
         4b1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:mime-version
         :message-id:date:dkim-signature;
        bh=9k1XSYdZALmH5hfa8a4AvP07Lnh/NUnZExR+YT8RVJg=;
        b=lbAmx6sf/iqdgpkHiMJcIBUlfqdu6T+X6TjpxTwxIlREpQfF79BrB+9ZZt+v6cqlN+
         03TwFgrP5mVtazu3b4nhTbO+26T78pxClxAq0nI+feVs8kjaVQT8Rf1Jr/uoy2SZmbGD
         zQ7+C+OZt4wEj0z8Nmn70AzS1/gGep7oamSSp4TCHcH0z+y+Q1pcN6Q6DrlTGyXfSjbr
         rXBcQqVhae2t5LL+vxnkpNKfSySoG93LheOsXQvoPb+qiZCoQgH0OXfNVQEWm3ado80x
         JoWVC47O+LOYga9YrMTN1YWCSzJMwa/lKbfcbBnXzTHtYVIccffUSv6Uuq+/LMYfZ5SL
         kLxA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=PQ69jBZK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s14si5028315pji.28.2019.06.12.02.21.13;
        Wed, 12 Jun 2019 02:21:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=PQ69jBZK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731940AbfFLI6H (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Wed, 12 Jun 2019 04:58:07 -0400
Received: from mail-yb1-f202.google.com ([209.85.219.202]:56945 "EHLO
        mail-yb1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728740AbfFLI6H (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Jun 2019 04:58:07 -0400
Received: by mail-yb1-f202.google.com with SMTP id y3so14884289ybp.23
        for <linux-kernel@vger.kernel.org>; Wed, 12 Jun 2019 01:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=9k1XSYdZALmH5hfa8a4AvP07Lnh/NUnZExR+YT8RVJg=;
        b=PQ69jBZKOHxDO/Whg1h1b3HMn0jb+jBhbwD60f9UYm+KKj3nXwBXrhdSO1xpxRUGI3
         7cK7dIMJfWnffO9DB6tfoM1dDSdPKSkJ5zviaiG1T840kg7O02vo21jucqKNco5vBXtP
         nnT59IGwweHt1bguh+DDlSq8k7cJdN890iHE7pkIZFIRiwBwkDigJQO3Y5kax6nltu55
         ZyUcbSEPVFgAq3EpsoxgujnREHik+31nO+3gVraPCbY3qQjjsgY+kUoRWFwI2ofTy9eU
         wWoxLnJq2S/7lCcEo27WrwwosrCyB4NfDIxMLi4kpcpYa+ddPkAOyd6jbV4xY8bDKkl0
         m7FQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=9k1XSYdZALmH5hfa8a4AvP07Lnh/NUnZExR+YT8RVJg=;
        b=HaO2Iy5F5JrofCqThQW4hPy/WB2x6KeuzjKtRxjMkQaUYVZfEgla7dawsaNxnpd9+Q
         2Ax9+5IvBtWGmwDolcjdsDRIGQEgiWYej5VYHi7S/a2oDmyjEzVmWs5NBzMIsPiuwY1K
         Ws/hBPXfe8AJYrtviTVLWXRUv49ur0R/VDz8XPdGn0DU+yd9bWEOV9DMurhieyJldbNP
         SsG4FLioYPz8pkxK9h6mYWNQ/wJDIS7f5bSgMN8UF4YPjplb+yZM/4DeZKijJkd/wB5Q
         rY38XmVYEn8DeUsHrqYNMdhxc50ftLCH6EL46COQiFqTQxBpkrg/HtpWQC8QRoF6f+1i
         PRFA==
X-Gm-Message-State: APjAAAXaJBdLrdzoVEj7DgcVFljyTocpTwyLF00DMLF7/2QfOmCvcezi
        HuZsRb/ueeWUbSpeVBK+I5tSO3Kew8oRpVX8gYo=
X-Received: by 2002:a25:d407:: with SMTP id m7mr37566390ybf.409.1560329886146;
 Wed, 12 Jun 2019 01:58:06 -0700 (PDT)
Date:   Wed, 12 Jun 2019 16:58:00 +0800
Message-Id: <20190612085800.11947-1-huangrandall@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.22.0.rc2.383.gf4fbbf30c2-goog
Subject: [PATCH] f2fs: add boundary check in inline_data_addr
From:   Randall Huang <huangrandall@google.com>
To:     jaegeuk@kernel.org, yuchao0@huawei.com,
        linux-f2fs-devel@lists.sourceforge.net,
        linux-kernel@vger.kernel.org
Cc:     huangrandall@google.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Add boundary check in case of extra_size is larger
than sizeof array "i_addr"

Signed-off-by: Randall Huang <huangrandall@google.com>
---
 fs/f2fs/f2fs.h | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 760390f380b6..17f3858a00c3 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2660,11 +2660,25 @@ static inline bool f2fs_is_drop_cache(struct inode *inode)
 	return is_inode_flag_set(inode, FI_DROP_CACHE);
 }
 
+#define F2FS_TOTAL_EXTRA_ATTR_SIZE			\
+	(offsetof(struct f2fs_inode, i_extra_end) -	\
+	offsetof(struct f2fs_inode, i_extra_isize))	\
+
 static inline void *inline_data_addr(struct inode *inode, struct page *page)
 {
 	struct f2fs_inode *ri = F2FS_INODE(page);
 	int extra_size = get_extra_isize(inode);
 
+	if (extra_size < 0 || extra_size > F2FS_TOTAL_EXTRA_ATTR_SIZE ||
+		extra_size % sizeof(__le32)) {
+		f2fs_msg(F2FS_I_SB(inode)->sb, KERN_ERR,
+			"%s: inode (ino=%lx) has corrupted i_extra_isize: %d, "
+			"max: %zu",
+			__func__, inode->i_ino, extra_size,
+			F2FS_TOTAL_EXTRA_ATTR_SIZE);
+		extra_size = 0;
+	}
+
 	return (void *)&(ri->i_addr[extra_size + DEF_INLINE_RESERVED_SIZE]);
 }
 
@@ -2817,10 +2831,6 @@ static inline int get_inline_xattr_addrs(struct inode *inode)
 	((is_inode_flag_set(i, FI_ACL_MODE)) ? \
 	 (F2FS_I(i)->i_acl_mode) : ((i)->i_mode))
 
-#define F2FS_TOTAL_EXTRA_ATTR_SIZE			\
-	(offsetof(struct f2fs_inode, i_extra_end) -	\
-	offsetof(struct f2fs_inode, i_extra_isize))	\
-
 #define F2FS_OLD_ATTRIBUTE_SIZE	(offsetof(struct f2fs_inode, i_addr))
 #define F2FS_FITS_IN_INODE(f2fs_inode, extra_isize, field)		\
 		((offsetof(typeof(*(f2fs_inode)), field) +	\
-- 
2.22.0.rc2.383.gf4fbbf30c2-goog