Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2465508pxj; Mon, 10 May 2021 03:45:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbDwmf01q825sJTLV9jnLQgQ5ycmGA1NaISWOeAWgBCMvaC0KdY8Kbar0aTdqZkgIDgM0A X-Received: by 2002:a17:906:8a78:: with SMTP id hy24mr25348537ejc.39.1620643558729; Mon, 10 May 2021 03:45:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620643558; cv=none; d=google.com; s=arc-20160816; b=JmRT/+tCm8V8PeKcjlpet7GK5wtBbGWY+Ej8P//BKCL1g4SZHanioOKnvIY81MShwI VHYxQ8/u+W6MtP+Fax6WPVQ2QhVXx+69JKW25E6BeDZnT2Ce0nTZGvoyGZIRwS5NO/U/ eIr4TstyfFYtYpDVbBDf8xd6/lXb8SJ87fR2xNDaAsimdPcHSr02Lzh6v/Bghi+RDg4Q d7I2qwnpru/IrIkd9BnY7htzbCy85cc18jB4T6wI9yY4zpaDy+oTNRammBeRCmuOQaEo O64QAw3ifGZtIRR5J5vZOnTPs2vcHNpRPqcvr+pos4scc7a/iwxcd2THw2l1PR9qXXSr KYLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dfSmxQd33LWs9D7lLrSQnlRMuppu9G/HxIV/BvSkaP0=; b=QiKCGvgg4bI8MHLBdnQFCN2xsmhqHZ24R00lTEAR15b//qPnhuYQCEqjFJtEJB7Byx WwYVW0nmZpLpQ4Clg2tmBdmcwKz1XNLQyvL4hewk1H2yB2QjwUBz9m9hIKrXrcrx+4Vm fJFJu9u8ZRtJouNlV26DbdMqlFA0UM8uy32EDMONh/8Q8XS6biQBemvqzNjnwyDO8L7B BCOOwJzH2JKUk6qC3sIuRsbf3nJYHrGz/jL8ai5De5zPkQmlXGWyAHgT7AvzusblVX+D UcRRWUcWVt9e8rE/RdBz2mTaPKe4wQiGq43Nw0irWlG4zVNJCCcQiTCR87ARpeumdwgJ uu4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=n9gTVY8G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m21si14369379edc.194.2021.05.10.03.45.34; Mon, 10 May 2021 03:45:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=n9gTVY8G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232869AbhEJKon (ORCPT + 99 others); Mon, 10 May 2021 06:44:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:41272 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232240AbhEJKgI (ORCPT ); Mon, 10 May 2021 06:36:08 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id EDF1B61941; Mon, 10 May 2021 10:29:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620642548; bh=QuBkts/GkKLS+r08i0eaMGCItNONn0VTF3q7+p4oIfU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n9gTVY8GPm7Tp0f1I/3OlZlukrRsjCUjX7KaB7D6+xZavPjWqVCp7N/7Wr2OPcIPX sYHCsnpu0Uifkjf+h+LQRLBC9e1CtB3sI8+HBgrtv5cG7rGI6yL8g59twq1qP9WYNs z6vpzldYI8RDS1PXMvYnWpCxuSOraWcl4ey5sivA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chao Yu , Jaegeuk Kim , butt3rflyh4ck Subject: [PATCH 5.4 140/184] f2fs: fix to avoid out-of-bounds memory access Date: Mon, 10 May 2021 12:20:34 +0200 Message-Id: <20210510101954.734054415@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210510101950.200777181@linuxfoundation.org> References: <20210510101950.200777181@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chao Yu commit b862676e371715456c9dade7990c8004996d0d9e upstream. butt3rflyh4ck reported a bug found by syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]: dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline] current_nat_addr fs/f2fs/node.h:213 [inline] get_next_nat_page fs/f2fs/node.c:123 [inline] __flush_nat_entry_set fs/f2fs/node.c:2888 [inline] f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991 f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640 f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807 f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454 __sync_filesystem fs/sync.c:39 [inline] sync_filesystem fs/sync.c:67 [inline] sync_filesystem+0x1b5/0x260 fs/sync.c:48 generic_shutdown_super+0x70/0x370 fs/super.c:448 kill_block_super+0x97/0xf0 fs/super.c:1394 The root cause is, if nat entry in checkpoint journal area is corrupted, e.g. nid of journalled nat entry exceeds max nid value, during checkpoint, once it tries to flush nat journal to NAT area, get_next_nat_page() may access out-of-bounds memory on nat_bitmap due to it uses wrong nid value as bitmap offset. [1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u Reported-and-tested-by: butt3rflyh4ck Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman --- fs/f2fs/node.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/f2fs/node.c +++ b/fs/f2fs/node.c @@ -2718,6 +2718,9 @@ static void remove_nats_in_journal(struc struct f2fs_nat_entry raw_ne; nid_t nid = le32_to_cpu(nid_in_journal(journal, i)); + if (f2fs_check_nid_range(sbi, nid)) + continue; + raw_ne = nat_in_journal(journal, i); ne = __lookup_nat_cache(nm_i, nid);