Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3977124pxb; Tue, 2 Mar 2021 03:40:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJxHFtMyzccWDJVqheZhpMfr3rplQWLC7YgQ5trcWIXOd8T7+8COTw1bcrT0pJbLRk/lcpFK X-Received: by 2002:a17:906:c210:: with SMTP id d16mr20282790ejz.187.1614685204663; Tue, 02 Mar 2021 03:40:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614685204; cv=none; d=google.com; s=arc-20160816; b=jknptZq3sOrCMjXc6qecsYDXjzPfgs8P/XmI63dWY8ZPTiwqq4moBLYMPb7+nAbQ9/ h6lyZfSMWmNMjBpA5l2eWHtM4HF0A0NdsiZ2rEnRZCQsAoDMkBgjKWAP6VGLb4Zc6C7m BAXrVArnZ+VS30IwjMrGb5lt/QQRNaarhSXkLRNi3/TwXakBJUEqoxYLsbvJZINbV1kL 3pkH3d8bCyWUCYyGkVxogSyrH5h+VB5rxKCuYZHZKsDPWNVJFQTicv0UKd8LEOjlLoQ7 6Jir2VtLFDbh163XHjAnw9LPsOiCFKWGcRmA4pLzjZYpV23Dv7C2S+DlWnfPI3wzwYMy 49lQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AqribqUqHw70dc5dJXXBdUtjk3V3zyys/W8DKMLx9A4=; b=UgCNVUk85dhxk9gzijBt0O+7UonTXiy3/02rG3lsNBkUXuF5+9qTon7EuXl8sFnEHG AW4zOYV//CVeqqzz0oFIVanXhVRk5WEdgiOLjIDO+zbkhPwNSKdA7y49WVnYwMMaKc7K 0wLHN1K2xUrh+Pm2xAVqGIXSCwuI3ZpI6gE/mq4IgfeS2SylcLdFQjerksqnnkD9Fo7M 5S7czVc08DnUnWPfdSAjy8Ue0KxzwA+BpJppkuDusT/bScu8WrdqZ9gnnDy165SCcjYI LrJ2NiPdiEl3Q4ivi8U5mkMLzJxaxr0XdJ9yxj/AwZnFGSd3g4aYnMBOKn7EVRkl83nt wKng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LFm86x7s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qk3si6322946ejb.638.2021.03.02.03.39.41; Tue, 02 Mar 2021 03:40:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LFm86x7s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241714AbhCBCKI (ORCPT + 99 others); Mon, 1 Mar 2021 21:10:08 -0500 Received: from mail.kernel.org ([198.145.29.99]:50864 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242092AbhCATfM (ORCPT ); Mon, 1 Mar 2021 14:35:12 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id F41F26528E; Mon, 1 Mar 2021 17:31:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614619894; bh=TH1FbZt92s+UcTZJK66IxQhicJvP3lj3ntXyCPqj3kk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LFm86x7sfIT43Cw6CoCEwX7TglcAo0X+h+scWLJKAGjjGgzVocw09sN3VIP8jy1nP +TgXawbitmyhqB5WeN9LH1N5cKoyUJVCRW6S6yi8BBnpWHzxASu43EgLxnKPoXb2ZQ bXEHKV4AgW4D06fUSYbgw93ZYQ+3Xe4vaSkYiUOY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+da4fe66aaadd3c2e2d1c@syzkaller.appspotmail.com, Sungjong Seo , Randy Dunlap , Namjae Jeon Subject: [PATCH 5.10 618/663] exfat: fix shift-out-of-bounds in exfat_fill_super() Date: Mon, 1 Mar 2021 17:14:26 +0100 Message-Id: <20210301161212.419641486@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161141.760350206@linuxfoundation.org> References: <20210301161141.760350206@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Namjae Jeon commit 78c276f5495aa53a8beebb627e5bf6a54f0af34f upstream. syzbot reported a warning which could cause shift-out-of-bounds issue. Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x183/0x22e lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395 exfat_read_boot_sector fs/exfat/super.c:471 [inline] __exfat_fill_super fs/exfat/super.c:556 [inline] exfat_fill_super+0x2acb/0x2d00 fs/exfat/super.c:624 get_tree_bdev+0x406/0x630 fs/super.c:1291 vfs_get_tree+0x86/0x270 fs/super.c:1496 do_new_mount fs/namespace.c:2881 [inline] path_mount+0x1937/0x2c50 fs/namespace.c:3211 do_mount fs/namespace.c:3224 [inline] __do_sys_mount fs/namespace.c:3432 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3409 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 exfat specification describe sect_per_clus_bits field of boot sector could be at most 25 - sect_size_bits and at least 0. And sect_size_bits can also affect this calculation, It also needs validation. This patch add validation for sect_per_clus_bits and sect_size_bits field of boot sector. Fixes: 719c1e182916 ("exfat: add super block operations") Cc: stable@vger.kernel.org # v5.9+ Reported-by: syzbot+da4fe66aaadd3c2e2d1c@syzkaller.appspotmail.com Reviewed-by: Sungjong Seo Tested-by: Randy Dunlap Signed-off-by: Namjae Jeon Signed-off-by: Greg Kroah-Hartman --- fs/exfat/exfat_raw.h | 4 ++++ fs/exfat/super.c | 31 ++++++++++++++++++++++++++----- 2 files changed, 30 insertions(+), 5 deletions(-) --- a/fs/exfat/exfat_raw.h +++ b/fs/exfat/exfat_raw.h @@ -77,6 +77,10 @@ #define EXFAT_FILE_NAME_LEN 15 +#define EXFAT_MIN_SECT_SIZE_BITS 9 +#define EXFAT_MAX_SECT_SIZE_BITS 12 +#define EXFAT_MAX_SECT_PER_CLUS_BITS(x) (25 - (x)->sect_size_bits) + /* EXFAT: Main and Backup Boot Sector (512 bytes) */ struct boot_sector { __u8 jmp_boot[BOOTSEC_JUMP_BOOT_LEN]; --- a/fs/exfat/super.c +++ b/fs/exfat/super.c @@ -381,8 +381,7 @@ static int exfat_calibrate_blocksize(str { struct exfat_sb_info *sbi = EXFAT_SB(sb); - if (!is_power_of_2(logical_sect) || - logical_sect < 512 || logical_sect > 4096) { + if (!is_power_of_2(logical_sect)) { exfat_err(sb, "bogus logical sector size %u", logical_sect); return -EIO; } @@ -451,6 +450,25 @@ static int exfat_read_boot_sector(struct return -EINVAL; } + /* + * sect_size_bits could be at least 9 and at most 12. + */ + if (p_boot->sect_size_bits < EXFAT_MIN_SECT_SIZE_BITS || + p_boot->sect_size_bits > EXFAT_MAX_SECT_SIZE_BITS) { + exfat_err(sb, "bogus sector size bits : %u\n", + p_boot->sect_size_bits); + return -EINVAL; + } + + /* + * sect_per_clus_bits could be at least 0 and at most 25 - sect_size_bits. + */ + if (p_boot->sect_per_clus_bits > EXFAT_MAX_SECT_PER_CLUS_BITS(p_boot)) { + exfat_err(sb, "bogus sectors bits per cluster : %u\n", + p_boot->sect_per_clus_bits); + return -EINVAL; + } + sbi->sect_per_clus = 1 << p_boot->sect_per_clus_bits; sbi->sect_per_clus_bits = p_boot->sect_per_clus_bits; sbi->cluster_size_bits = p_boot->sect_per_clus_bits + @@ -477,16 +495,19 @@ static int exfat_read_boot_sector(struct sbi->used_clusters = EXFAT_CLUSTERS_UNTRACKED; /* check consistencies */ - if (sbi->num_FAT_sectors << p_boot->sect_size_bits < - sbi->num_clusters * 4) { + if ((u64)sbi->num_FAT_sectors << p_boot->sect_size_bits < + (u64)sbi->num_clusters * 4) { exfat_err(sb, "bogus fat length"); return -EINVAL; } + if (sbi->data_start_sector < - sbi->FAT1_start_sector + sbi->num_FAT_sectors * p_boot->num_fats) { + (u64)sbi->FAT1_start_sector + + (u64)sbi->num_FAT_sectors * p_boot->num_fats) { exfat_err(sb, "bogus data start sector"); return -EINVAL; } + if (sbi->vol_flags & VOLUME_DIRTY) exfat_warn(sb, "Volume was not properly unmounted. Some data may be corrupt. Please run fsck."); if (sbi->vol_flags & MEDIA_FAILURE)