Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1997156rwb; Sat, 24 Sep 2022 00:44:26 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5RXAoe70pL1r/ahHHxs+GvTFQXftF/JjwYzb6VQ5eulq2bKq32DZCJD/Bb8HYBzi7ouyiY X-Received: by 2002:a17:907:970a:b0:77d:a10c:e089 with SMTP id jg10-20020a170907970a00b0077da10ce089mr9765354ejc.364.1664005466410; Sat, 24 Sep 2022 00:44:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664005466; cv=none; d=google.com; s=arc-20160816; b=t35sX+KK1XXdMdj1D4eOKtXmkMkYzh20cwXXHpqz4QHL3cNz3t5PZ/4ph4V3mWHkbe YrqYDqmlF+64zRWPjPhhvUGYXDseXsyD3zEzJNNhZWtJaZcTreAS10TQvVWaN09zd2No HuRMqipHBTY8ssIpU/ZwaoKP79YcmrSuLBKF2pLY4CV7GTjTjms/3xNRL25l5URggNgR hxM7O80/zJg0qxuLRmpLJDY7F4ZPExlXT6kYJTcgF6qAFGnvCOH6tkFk33ZQ9b1SzrLu lkv9ZL9/bCEtCHhr9Rtiw/ypvzsn/9Atqnxz5q/cny7Rklm1mAMGy6H9STiBGjbP09yj RSdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=J5HPuaWsHsJ2v2jQDJWA4RjZR43OLZAdJ+T5NuS3WYs=; b=xEYxpC92cyBkTxTwWJIoxgDt36lNFQHakvrNiGPDIzcxgqS9POYl8judhf9Y710mvj W+DcsaXn2YD81FScfxcBqZo1HncuOshJWmV4u59gekhZZYoTuqoZJzBF9pIHDxWVkVdw G/UAjwm9lcWdHU5EJ4xVRnVw9ZZPXDaPPX3srcgivs7uLzETtkk5v/CpixI+ZH1SwqCq xKk5mV8h9XWZFSgriYgP136nJQE7DhWbqtSKp52HXiMvijb/niHD3JR18RjG8GmwHDIR J4XslfnamO/64Bamhc09WoVDVNoV3998sD3nLWJy28xPE6HBOYhdMz4tKbHHqSwadnqo ihnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id az14-20020a170907904e00b007806a566bc2si7327943ejc.457.2022.09.24.00.44.01; Sat, 24 Sep 2022 00:44:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233581AbiIXHmB (ORCPT + 99 others); Sat, 24 Sep 2022 03:42:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233567AbiIXHl4 (ORCPT ); Sat, 24 Sep 2022 03:41:56 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6DDB711E5C1; Sat, 24 Sep 2022 00:41:52 -0700 (PDT) Received: from canpemm500010.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MZLTJ1H7szlXPP; Sat, 24 Sep 2022 15:37:40 +0800 (CST) Received: from huawei.com (10.175.127.227) by canpemm500010.china.huawei.com (7.192.105.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 24 Sep 2022 15:41:50 +0800 From: Ye Bin To: , , CC: , , Ye Bin Subject: [PATCH -next 3/3] ext4: fix potential out of bound read in ext4_fc_replay_scan() Date: Sat, 24 Sep 2022 15:52:33 +0800 Message-ID: <20220924075233.2315259-4-yebin10@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220924075233.2315259-1-yebin10@huawei.com> References: <20220924075233.2315259-1-yebin10@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To canpemm500010.china.huawei.com (7.192.105.118) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read when mounting corrupt file system image. ADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this three tags will read data during scan, tag length couldn't less than data length which will read. Signed-off-by: Ye Bin --- fs/ext4/fast_commit.c | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c index 54622005a0c8..ef05bfa87798 100644 --- a/fs/ext4/fast_commit.c +++ b/fs/ext4/fast_commit.c @@ -1976,6 +1976,34 @@ void ext4_fc_replay_cleanup(struct super_block *sb) kfree(sbi->s_fc_replay_state.fc_modified_inodes); } +static inline bool ext4_fc_tag_len_isvalid(struct ext4_fc_tl *tl, + u8 *val, u8 *end) +{ + if (val + tl->fc_len > end) + return false; + + /* Here only check ADD_RANGE/TAIL/HEAD which will read data when do + * journal rescan before do CRC check. Other tags length check will + * rely on CRC check. + */ + switch (tl->fc_tag) { + case EXT4_FC_TAG_ADD_RANGE: + return (sizeof(struct ext4_fc_add_range) == tl->fc_len); + case EXT4_FC_TAG_TAIL: + return (sizeof(struct ext4_fc_tail) <= tl->fc_len); + case EXT4_FC_TAG_HEAD: + return (sizeof(struct ext4_fc_head) == tl->fc_len); + case EXT4_FC_TAG_DEL_RANGE: + case EXT4_FC_TAG_LINK: + case EXT4_FC_TAG_UNLINK: + case EXT4_FC_TAG_CREAT: + case EXT4_FC_TAG_INODE: + case EXT4_FC_TAG_PAD: + default: + return true; + } +} + /* * Recovery Scan phase handler * @@ -2032,10 +2060,15 @@ static int ext4_fc_replay_scan(journal_t *journal, } state->fc_replay_expected_off++; - for (cur = start; cur < end; + for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ext4_fc_get_tl(&tl, cur); val = cur + EXT4_FC_TAG_BASE_LEN; + if (!ext4_fc_tag_len_isvalid(&tl, val, end)) { + ret = state->fc_replay_num_tags ? + JBD2_FC_REPLAY_STOP : -ECANCELED; + goto out_err; + } ext4_debug("Scan phase, tag:%s, blk %lld\n", tag2str(tl.fc_tag), bh->b_blocknr); switch (tl.fc_tag) { @@ -2146,7 +2179,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, start = (u8 *)bh->b_data; end = (__u8 *)bh->b_data + journal->j_blocksize - 1; - for (cur = start; cur < end; + for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ext4_fc_get_tl(&tl, cur); val = cur + EXT4_FC_TAG_BASE_LEN; @@ -2156,6 +2189,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, ext4_fc_set_bitmaps_and_counters(sb); break; } + ext4_debug("Replay phase, tag:%s\n", tag2str(tl.fc_tag)); state->fc_replay_num_tags--; switch (tl.fc_tag) { -- 2.31.1