Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp472790rwl; Wed, 4 Jan 2023 23:20:01 -0800 (PST) X-Google-Smtp-Source: AMrXdXvx1fUlRXdraUsxEqDj6GXujZ6IUsFXIQfCOlw5bNFZ8lm0bkX/jIP60tPt3fJODAWLt7Yy X-Received: by 2002:aa7:c6c2:0:b0:46c:6bdc:4116 with SMTP id b2-20020aa7c6c2000000b0046c6bdc4116mr41212520eds.33.1672903201239; Wed, 04 Jan 2023 23:20:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672903201; cv=none; d=google.com; s=arc-20160816; b=GQLefPJRyfnrEjarg0Dmvj633u49w7qpaCIyxXNp23YLpE9Tu/4tzjyCXB4qdChY6Q hBIw2WSOJO17DmIJ7cagXHHspZAZGOdgfLNti0ukKOguT6+FtaQ5NtQJA8YKmS/8ltBS fEnfFNidNbZ5y4jKJeOq1E7xjMWLaRrtPzDcYph597XkGu+0jp0UHYVesrzEtykehyiB lNnpZYFoEl/NmiH8oJpvTYh/I2qfH1kkrlYAV1nQfzSw9fPHe6uO0iO8N1FT8pzULzjj NOcyE2ne9HVDh7/xAQir5WXEusU0R60WDmE8e6UQE3fWbadJHwAZkc42xmqnPYi9HVf+ O1zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=gablGgejzjCCJHZaIMkLjohnmHj/SdUxHTzIleBOqUM=; b=BiDn6dYCsDtdUAKFo6lZtrUMvu1i+VbcpTsxarLLo4nDlHnN6KCbpVpufiVmX3jRbx BYoIaA7VEIb04ic7T0hksPS58ue0MmuFdZJuXPdY0erKTvmg9Q9Gzuo5qEnJzzXf457m cKnLre/K5xZwXSm9al+laFls7aZdXP3D+dGoq7fpOKXlKyr0kh+gqvgJ253//UPFbVrH Qy9Z6YArlU7PUBsyndRlHfrofbqm2bB7ku85TIHx2kgUU4iTjmyQRRpNfEFNlkeXQieB Axd4HQc79k8ePLQGkoyDt9rrgE5K89j2Quy8jVS9A8SEOHnDh3Zrh/3yqmE+iRSeR3xw ABHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rP3Q5R1J; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nc19-20020a1709071c1300b008334aeea09esi34649149ejc.187.2023.01.04.23.19.37; Wed, 04 Jan 2023 23:20:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rP3Q5R1J; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230320AbjAEHRN (ORCPT + 99 others); Thu, 5 Jan 2023 02:17:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230342AbjAEHRK (ORCPT ); Thu, 5 Jan 2023 02:17:10 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1689D53719; Wed, 4 Jan 2023 23:17:09 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5B96A618F6; Thu, 5 Jan 2023 07:17:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EE788C433F2; Thu, 5 Jan 2023 07:17:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1672903029; bh=b6qqdXZuozZPfdh8Ay55qKmKfpVJDlwA7o9LIUavCW0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rP3Q5R1Jbk1bd2AukXBvaYpuOeUxPAz7/UbUyHjhAtl7oyiOEUrHpMp6WRg3K0vvF H47U+AIPIoPr976VO5VdcWvV2SQCLbwJ1CFJrP88a5tJ31GU86SA6OEDsvpbUvvJ7S Ksr58FTwm8CGjJgCSOhmGln+k2d5wL2YY4RD+Bpw8DNxa+Df3F8sFzSyA9j76cmSko 9Rq4nQ9FpXx/IifPD9Ia8cPb9uuW7e6ltTq0BohQRYJd91LF97GkmEh6F5i9MP8EcK iqHDEpV2M7VC3NBPRozHi1URLIRjGsZi1bliBeKrVuDBCkCaGc8vLQKYWd+Q5p4L1c 4WuYeHU4WJI6w== From: Eric Biggers To: stable@vger.kernel.org Cc: linux-ext4@vger.kernel.org, stable@kernel.org, Ye Bin , Theodore Ts'o Subject: [PATCH 5.15 05/10] ext4: fix potential out of bound read in ext4_fc_replay_scan() Date: Wed, 4 Jan 2023 23:13:54 -0800 Message-Id: <20230105071359.257952-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230105071359.257952-1-ebiggers@kernel.org> References: <20230105071359.257952-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org From: Ye Bin commit 1b45cc5c7b920fd8bf72e5a888ec7abeadf41e09 upstream. For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read when mounting corrupt file system image. ADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this three tags will read data during scan, tag length couldn't less than data length which will read. Cc: stable@kernel.org Signed-off-by: Ye Bin Link: https://lore.kernel.org/r/20220924075233.2315259-4-yebin10@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Eric Biggers --- fs/ext4/fast_commit.c | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c index fdce08c68cd43..be59f8790ce41 100644 --- a/fs/ext4/fast_commit.c +++ b/fs/ext4/fast_commit.c @@ -1907,6 +1907,34 @@ void ext4_fc_replay_cleanup(struct super_block *sb) kfree(sbi->s_fc_replay_state.fc_modified_inodes); } +static inline bool ext4_fc_tag_len_isvalid(struct ext4_fc_tl *tl, + u8 *val, u8 *end) +{ + if (val + tl->fc_len > end) + return false; + + /* Here only check ADD_RANGE/TAIL/HEAD which will read data when do + * journal rescan before do CRC check. Other tags length check will + * rely on CRC check. + */ + switch (tl->fc_tag) { + case EXT4_FC_TAG_ADD_RANGE: + return (sizeof(struct ext4_fc_add_range) == tl->fc_len); + case EXT4_FC_TAG_TAIL: + return (sizeof(struct ext4_fc_tail) <= tl->fc_len); + case EXT4_FC_TAG_HEAD: + return (sizeof(struct ext4_fc_head) == tl->fc_len); + case EXT4_FC_TAG_DEL_RANGE: + case EXT4_FC_TAG_LINK: + case EXT4_FC_TAG_UNLINK: + case EXT4_FC_TAG_CREAT: + case EXT4_FC_TAG_INODE: + case EXT4_FC_TAG_PAD: + default: + return true; + } +} + /* * Recovery Scan phase handler * @@ -1963,10 +1991,15 @@ static int ext4_fc_replay_scan(journal_t *journal, } state->fc_replay_expected_off++; - for (cur = start; cur < end; + for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ext4_fc_get_tl(&tl, cur); val = cur + EXT4_FC_TAG_BASE_LEN; + if (!ext4_fc_tag_len_isvalid(&tl, val, end)) { + ret = state->fc_replay_num_tags ? + JBD2_FC_REPLAY_STOP : -ECANCELED; + goto out_err; + } ext4_debug("Scan phase, tag:%s, blk %lld\n", tag2str(tl.fc_tag), bh->b_blocknr); switch (tl.fc_tag) { @@ -2077,7 +2110,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, start = (u8 *)bh->b_data; end = (__u8 *)bh->b_data + journal->j_blocksize - 1; - for (cur = start; cur < end; + for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ext4_fc_get_tl(&tl, cur); val = cur + EXT4_FC_TAG_BASE_LEN; @@ -2087,6 +2120,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, ext4_fc_set_bitmaps_and_counters(sb); break; } + ext4_debug("Replay phase, tag:%s\n", tag2str(tl.fc_tag)); state->fc_replay_num_tags--; switch (tl.fc_tag) { -- 2.39.0