Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5102098ybe; Tue, 17 Sep 2019 02:38:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqwKnytV7edWOABNCuM3Snca4avl7frpbexGEjQStoxxVjb5aW78RmpFYfdGXDfumezuPgB8 X-Received: by 2002:a17:906:168f:: with SMTP id s15mr3726867ejd.109.1568713099982; Tue, 17 Sep 2019 02:38:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568713099; cv=none; d=google.com; s=arc-20160816; b=kyv0amPBqyyyRV7O62ru/CqkgGggI/tQQyy3D1jCCeHtaCNbVS59nAmTyC6oC+wuiF EUIWhzrjc2zMOXiIcqhIIU7nycPC9+5yC7Z9YGdqFdMi6FWBeGaLcvCw8Vz+AXp3zD66 dsGN9Vp1c975DPBiCtofha0JwW7UCchgOC0BBGVQRKIrBXAf7D6SytSM6VkyGH93cbpX XZuagZk4cSZtAF5cU+O8kJ61IinYjaFa6Tj+yqwOR+V0xiNC7EtTh6x0BK6k3U0Qa9cn 7N+Q/WtGBohUactCjq487/yxnWZuSWTHqpufIh2gwYO+2yjpyzaM8uJWOw8bGu/MMOLu aYWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dmarc-filter:dkim-signature:dkim-signature; bh=1b+v902xF3F2S3WsG77WLRDJqyG4QblvhPp1C01qEFo=; b=VBJqoT76Ir94gq9Ix+Sj9Ys+OEIsyxkMtoYMMv+4vD+FOoogXz4i4H+buZtST2CYLS YIUQC1D1Q2n+SeVSY21SOJtfSRKckyHnyGZ0VcHiV2W0pgE1xfIfMI7FwEGqsbB6+O81 vKkpIKPrvyXfNZsPvQOCRU/NlmBPK5LQiePUtbW5Nurp4teE+Pre+2sPv/7AmqfEBakY 4OWQ8qpG0VnQ5dnnqm24rtbtUWQJjiIUB/IlfIF/E/W2cumr5aTy/8ls2n6IwEetqlft wo+JYi+Cm/n/H5P80lncIqUyeP7L5vKYTllqE1UzrOP/Z3yW65Kz5eUsjQX2QvpFpste KOkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=QhM2Jojk; dkim=pass header.i=@codeaurora.org header.s=default header.b=hSgSYEJz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c7si739197ejr.360.2019.09.17.02.37.56; Tue, 17 Sep 2019 02:38:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=QhM2Jojk; dkim=pass header.i=@codeaurora.org header.s=default header.b=hSgSYEJz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392289AbfIQEty (ORCPT + 99 others); Tue, 17 Sep 2019 00:49:54 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:40764 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727358AbfIQEty (ORCPT ); Tue, 17 Sep 2019 00:49:54 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 1B0EC602F8; Tue, 17 Sep 2019 04:49:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1568695793; bh=9DAhlffFQLmyiQ/NBcdB+CPjXZvxyNPw99SVt6x2WNI=; h=From:To:Cc:Subject:Date:From; b=QhM2JojkQfrWeNPMh1yBFMab870y0RI92asD564PBlf5BXDy91uU3A5HlT04w7spr OD43qEvbA3KHi7nCTY14juqsjxqAEipjGCzVla9tS+meWujUkynjvOjN5J/RCe6sW0 0Vh65Gd/Rg+QLfARCCcpJljtz60msbyMHJGOjdU8= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED,SPF_NONE autolearn=no autolearn_force=no version=3.4.0 Received: from codeaurora.org (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: stummala@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 8AD46607C3; Tue, 17 Sep 2019 04:49:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1568695792; bh=9DAhlffFQLmyiQ/NBcdB+CPjXZvxyNPw99SVt6x2WNI=; h=From:To:Cc:Subject:Date:From; b=hSgSYEJzeXsrKDUNDKTmqyprObM9NX0u+TRioBXgAlgSauRz+qWM67cc3HWUpq+q/ nP1yc38DAsIlmltF4GoHU+FizSaSZS8prTDeMrsqMUCuvQ85CeaVXHtK6s8V8/vSjM kxs6owP5qD/oNwm8dWCd1QX4E+e/WOS4NK48n4UE= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 8AD46607C3 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=stummala@codeaurora.org From: Sahitya Tummala To: Jaegeuk Kim , Chao Yu , linux-f2fs-devel@lists.sourceforge.net Cc: Sahitya Tummala , linux-kernel@vger.kernel.org Subject: [PATCH] f2fs: add a condition to detect overflow in f2fs_ioc_gc_range() Date: Tue, 17 Sep 2019 10:19:23 +0530 Message-Id: <1568695763-29343-1-git-send-email-stummala@codeaurora.org> X-Mailer: git-send-email 1.9.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org end = range.start + range.len; If the range.start/range.len is a very large value, then end can overflow in this operation. It results into a crash in get_valid_blocks() when accessing the invalid range.start segno. This issue is reported in ioctl fuzz testing. Signed-off-by: Sahitya Tummala --- fs/f2fs/file.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 5474aaa..c2b4767 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2123,9 +2123,8 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg) return -EROFS; end = range.start + range.len; - if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) { + if (end < range.start || range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) return -EINVAL; - } ret = mnt_want_write_file(filp); if (ret) -- Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.