Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3813766pxu; Wed, 9 Dec 2020 00:53:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJyig5nMANFn5+jyUe9Rja3en1/8fl3QxeV5VcwiJjwBKhP8CB5AEFVB0ZEKGSjIJd+QD49L X-Received: by 2002:aa7:db59:: with SMTP id n25mr975368edt.203.1607504004433; Wed, 09 Dec 2020 00:53:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607504004; cv=none; d=google.com; s=arc-20160816; b=lLdR8Wqc/DdM3OB8kbPaNx2d1A90iv3WACSp3DvKnujI604vQpTcdVjxapUs+6v+1N czwB1emvuHxqJgNwxnZsm+ipErYMdef9kMB7Y6BtJWY2Kjqkn1b6acD5l5XhmBY0farj Vz1lyLZx46LXBrPLWyVsYWuw25E7EKaDaKe4iyNFs14m5t6wLxF/VXseWvTfMLyPpXpn 3Ev2ncnbFRorYb5e39bmgsxXIo/RoEy7bnMXbJ71JFLdDmKTEeM5f2dsU4XmTBTo7hKQ Gf6l1AO8CBZ41r++TudVRKYPgua5JoOEiu5Sl8em9MQOQLGD7ILZ4xjPaEnGanGvzy/3 I09A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=5+/uHEV/4P+wx54QLEOohuIr71ZJS+J5mp4gVStui5Q=; b=m7rp2bcT2typmymqhIPai0viC6DIjPYwtH7lkc4pgJDkt3t1ipMhyKfaLlrG5HvDzo BCXIsirZsmi0ejxZlZY7hLeANJEtpBfbBFnInS8/ZslKzzgM+05Y7UYAN/el9ElR5y4E zKNoI4QcT341nIidhmuzt5cGn8g2ARx0UG1Zrn6BFB0yO5+x8yjsDG75DRzvgKWRuCml LQLHfxZZK3ntH+mYYnlXmopk3cDdH4cIUwjqPPqewcrNoEQVvkMru6Pus4hSrZ/9Brwp 1S5YzVIZ17Uh5MwT73qjXX083JcsvocuuaF+A1I0njCEe3vj5ytVNI77AAxuTp9ddYIj 8wpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k10si434982eji.9.2020.12.09.00.53.01; Wed, 09 Dec 2020 00:53:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726110AbgLIIur (ORCPT + 99 others); Wed, 9 Dec 2020 03:50:47 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:8733 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725942AbgLIIur (ORCPT ); Wed, 9 Dec 2020 03:50:47 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4CrW1r3B6Hzklr8; Wed, 9 Dec 2020 16:49:20 +0800 (CST) Received: from szvp000203569.huawei.com (10.120.216.130) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.487.0; Wed, 9 Dec 2020 16:49:52 +0800 From: Chao Yu To: CC: , , , Chao Yu , Subject: [PATCH] f2fs: fix shift-out-of-bounds in sanity_check_raw_super() Date: Wed, 9 Dec 2020 16:49:36 +0800 Message-ID: <20201209084936.31711-1-yuchao0@huawei.com> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.120.216.130] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org syzbot reported a bug which could cause shift-out-of-bounds issue, fix it. Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 sanity_check_raw_super fs/f2fs/super.c:2812 [inline] read_raw_super_block fs/f2fs/super.c:3267 [inline] f2fs_fill_super.cold+0x16c9/0x16f6 fs/f2fs/super.c:3519 mount_bdev+0x34d/0x410 fs/super.c:1366 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x89/0x2f0 fs/super.c:1496 do_new_mount fs/namespace.c:2896 [inline] path_mount+0x12ae/0x1e70 fs/namespace.c:3227 do_mount fs/namespace.c:3240 [inline] __do_sys_mount fs/namespace.c:3448 [inline] __se_sys_mount fs/namespace.c:3425 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported-by: syzbot+ca9a785f8ac472085994@syzkaller.appspotmail.com Signed-off-by: Chao Yu --- fs/f2fs/super.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index bf96f5776f99..c0b2ea596b07 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -2869,7 +2869,6 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, block_t total_sections, blocks_per_seg; struct f2fs_super_block *raw_super = (struct f2fs_super_block *) (bh->b_data + F2FS_SUPER_OFFSET); - unsigned int blocksize; size_t crc_offset = 0; __u32 crc = 0; @@ -2896,10 +2895,10 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, } /* Currently, support only 4KB block size */ - blocksize = 1 << le32_to_cpu(raw_super->log_blocksize); - if (blocksize != F2FS_BLKSIZE) { - f2fs_info(sbi, "Invalid blocksize (%u), supports only 4KB", - blocksize); + if (le32_to_cpu(raw_super->log_blocksize) != F2FS_BLKSIZE_BITS) { + f2fs_info(sbi, "Invalid log_blocksize (%u), supports only %u", + le32_to_cpu(raw_super->log_blocksize), + F2FS_BLKSIZE_BITS); return -EFSCORRUPTED; } -- 2.29.2