From patchwork Tue Aug 8 11:18:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 109610 Delivered-To: patch@linaro.org Received: by 10.182.109.195 with SMTP id hu3csp3933497obb; Tue, 8 Aug 2017 04:18:55 -0700 (PDT) X-Received: by 10.98.28.193 with SMTP id c184mr4105307pfc.77.1502191135283; Tue, 08 Aug 2017 04:18:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1502191135; cv=none; d=google.com; s=arc-20160816; b=ZddI0Ij+lSTqZrcGu5CBgnZDuI8rIKoWim4LyUViVhgWohI3RLCvr3WZMspRecU9Zy lNCL8XpjpphPNd0dkHJ7hOAgwMzmrWAjwcv45cJFMPVeVx+QSRaNvjinhG5Y+9YIB+jB 6mcUnZIQjRLwbaQNZ0JyApBlxlV1YYZzAS4UXHlUQy121emRlD2xnC68eAHZRcsMK/oa XkegxZI0RHyyNSQSK3pefu3wKP54tdIzPJwS/9pHsrQ7QP4ByX9hFe98p5t74/X6khV0 jDXkUNaL04j7eA5Lr1igUjoGmKFbtorDWxWsGjznqJ9MRS2PozQigU2VNH1xx4c6DHdn 2RvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=3NCQlWpMBEwm75I6J4WYGtDvOHSoqrp64zB1Ullnb0Q=; b=KrI3+GH3apeOOxUx/5o0yRWxGmn3vhCYCDIU086UalH3zdlB+luLqnIdgcOBuQnCKF XUcf/b2UovhiCWX7Qr6LG28BwtBUEDPvw7lTE+f8MU8KbnHyCUYaPU3GLYIOlcxvfhL7 9D+3L23x+vRWWwl1nZYSWGEnckFN7FEv/BuIkFP9PlZEO3WGU855ngvTZr235BlAiAma dhPtSkvLR31gMn9aezDMsr5OnYboifSAXTXsxrH2wJtKVPyD553bl22mDRCJMuJ2iYOC vh1zos9l0LIQlIor+D/6NAGGjTPCIePX5aXHz+Sf08yUCLvh2BG63JaVVi10KsGOxxAL bqmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SV6DrOyI; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h6si661331pgc.39.2017.08.08.04.18.55; Tue, 08 Aug 2017 04:18:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SV6DrOyI; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752442AbdHHLSt (ORCPT + 6 others); Tue, 8 Aug 2017 07:18:49 -0400 Received: from mail-pg0-f48.google.com ([74.125.83.48]:37492 "EHLO mail-pg0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752397AbdHHLSp (ORCPT ); Tue, 8 Aug 2017 07:18:45 -0400 Received: by mail-pg0-f48.google.com with SMTP id y129so13564786pgy.4 for ; Tue, 08 Aug 2017 04:18:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=3NCQlWpMBEwm75I6J4WYGtDvOHSoqrp64zB1Ullnb0Q=; b=SV6DrOyImwgPQFJGlzDYXCaRx/bBSuRfg3g/jXsWZAiQROynCX9Y+K1YIItF2a71pQ 9m3cyAanFSF38HcHv3UdzPlGOe8rxP9YAOIhNtV9rmtwP0blhd41JwycbMVIyIiAiymn fkLoMpGHwxDE3vzaI2aXWOXibKGOm8SK1o1+8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=3NCQlWpMBEwm75I6J4WYGtDvOHSoqrp64zB1Ullnb0Q=; b=GGbCkcZWhoiXdgL2RoQ/dKkMNnv0lVp/Y0fuksyFgEbkulSHzhwwnhLWQjsyMfdPp3 FSeHWuKcoIMt6OAovkX2QE92FCITmVBEjfcNFG1siQD2Lf3Yr8KCqevMUDRvCSE20kgM TurilyF9SqCVScEihNZ8uvmW3AdU9CfepBiH91s62iGmoq/uccMf7jUg06xXgYrc+oRS j1rgyexhiBBAuyMlcGQ/p9BWqlP5FgLMBZfiB0kYBZ4b51QQBKYMBXpWfl/qbG365CJE mRxkXsnmsm/K4nrFE6VAmFF9epuIRwGtH3WE7T4eMggp1kpmb6cRM0dgilExMBYxZz0f OGRA== X-Gm-Message-State: AHYfb5jlKbeesvougWuWyG4W7m6jMCL7c+kQvVGDbSrzFiVVZ44kw+/X hfTiTMmeHebdl5eJ2A/F9A== X-Received: by 10.99.4.19 with SMTP id 19mr3773911pge.111.1502191125178; Tue, 08 Aug 2017 04:18:45 -0700 (PDT) Received: from localhost.localdomain ([106.51.140.244]) by smtp.gmail.com with ESMTPSA id i4sm2804856pfg.51.2017.08.08.04.18.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 08 Aug 2017 04:18:44 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Jin Qian , Jin Qian , Jaegeuk Kim Subject: [PATCH for-3.18] f2fs: sanity check checkpoint segno and blkoff Date: Tue, 8 Aug 2017 16:48:38 +0530 Message-Id: <1502191120-32023-1-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jin Qian commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a upstream. Make sure segno and blkoff read from raw image are valid. Cc: stable@vger.kernel.org Signed-off-by: Jin Qian [Jaegeuk Kim: adjust minor coding style] Signed-off-by: Jaegeuk Kim [AmitP: Found in Android Security bulletin for Aug'17, fixes CVE-2017-10663] Signed-off-by: Amit Pundir --- fs/f2fs/super.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) -- 2.7.4 diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 341466bcf180..8d275fad465d 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -932,6 +932,8 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi) unsigned int total, fsmeta; struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); + unsigned int main_segs, blocks_per_seg; + int i; total = le32_to_cpu(raw_super->segment_count); fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); @@ -943,6 +945,20 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi) if (unlikely(fsmeta >= total)) return 1; + main_segs = le32_to_cpu(raw_super->segment_count_main); + blocks_per_seg = sbi->blocks_per_seg; + + for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg) + return 1; + } + for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg) + return 1; + } + if (unlikely(f2fs_cp_error(sbi))) { f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); return 1;