diff mbox series

[4.9,014/212] f2fs: check if file namelen exceeds max value

Message ID	20200820091603.051946798@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=nT5k=B6=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Gong Chen <gongchen4@huawei.com>, Sheng Yong <shengyong1@huawei.com>, Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 4.9 014/212] f2fs: check if file namelen exceeds max value Date: Thu, 20 Aug 2020 11:19:47 +0200 Message-Id: <20200820091603.051946798@linuxfoundation.org> In-Reply-To: <20200820091602.251285210@linuxfoundation.org> References: <20200820091602.251285210@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [4.9,002/212] xfs: validate cached inodes are free when allocated [4.9,005/212] crypto: ccp - Release all allocated memory if sha type is invalid [4.9,006/212] media: rc: prevent memory leak in cx23888_ir_probe [4.9,008/212] ath9k: release allocated buffer if timed out [4.9,012/212] drm: hold gem reference until object is no longer accessed [4.9,014/212] f2fs: check if file namelen exceeds max value [4.9,015/212] 9p/trans_fd: abort p9_read_work if req status changed [4.9,017/212] x86/build/lto: Fix truncated .bss with -fdata-sections [4.9,019/212] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. [4.9,020/212] rds: Prevent kernel-infoleak in rds_notify_queue_get() [4.9,023/212] install several missing uapi headers [4.9,025/212] net/x25: Fix null-ptr-deref in x25_disconnect [4.9,026/212] sh: Fix validation of system call number [4.9,027/212] net: lan78xx: add missing endpoint sanity check [4.9,031/212] mlxsw: core: Free EMAD transactions using kfree_rcu() [4.9,034/212] mac80211: mesh: Free pending skb when destroying a mpath [4.9,036/212] usb: hso: Fix debug compile warning on sparc32 [4.9,037/212] qed: Disable "MFW indication via attention" SPAM every 5 minutes [4.9,040/212] net: ethernet: ravb: exit if re-initialization fails in tx timeout [4.9,042/212] xen-netfront: fix potential deadlock in xennet_remove() [4.9,044/212] x86/i8259: Use printk_deferred() to prevent deadlock [4.9,045/212] random32: update the net random state on interrupt and activity [4.9,046/212] ARM: percpu.h: fix build error [4.9,048/212] random32: remove net_rand_state from the latent entropy gcc plugin [4.9,049/212] random32: move the pseudo-random 32-bit definitions to prandom.h [4.9,051/212] USB: serial: qcserial: add EM7305 QDL product ID [4.9,052/212] net/mlx5e: Dont support phys switch id if not in switchdev mode [4.9,054/212] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() [4.9,058/212] vgacon: Fix for missing check in scrollback handling [4.9,061/212] leds: da903x: fix use-after-free on unbind [4.9,062/212] leds: lm3533: fix use-after-free on unbind [4.9,063/212] leds: 88pm860x: fix use-after-free on unbind [4.9,065/212] drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason [4.9,068/212] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent [4.9,070/212] xattr: break delegations in {set,remove}xattr [4.9,071/212] binder: Prevent context manager from incrementing ref 0 [4.9,072/212] ipv4: Silence suspicious RCU usage warning [4.9,073/212] ipv6: fix memory leaks on IPV6_ADDRFORM path [4.9,075/212] net: lan78xx: replace bogus endpoint lookup [4.9,078/212] Smack: fix use-after-free in smk_write_relabel_self() [4.9,079/212] tracepoint: Mark __tracepoint_strings __used [4.9,080/212] gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...) [4.9,081/212] cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone() [4.9,082/212] EDAC: Fix reference count leaks [4.9,086/212] m68k: mac: Fix IOP status/control register writes [4.9,087/212] platform/x86: intel-hid: Fix return value check in check_acpi_dev() [4.9,089/212] ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() [4.9,092/212] Bluetooth: add a mutex lock to avoid UAF in do_enale_set [4.9,094/212] drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync [4.9,095/212] video: fbdev: neofb: fix memory leak in neo_scan_monitor() [4.9,099/212] mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls [4.9,100/212] brcmfmac: To fix Bss Info flag definition Bug [4.9,104/212] dyndbg: fix a BUG_ON in ddebug_describe_flags [4.9,109/212] console: newport_con: fix an issue about leak related system resources [4.9,112/212] leds: lm355x: avoid enum conversion warning [4.9,113/212] media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities() [4.9,115/212] drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline [4.9,116/212] cxl: Fix kobject memleak [4.9,118/212] scsi: powertec: Fix different dev_id between request_irq() and free_irq() [4.9,119/212] scsi: eesox: Fix different dev_id between request_irq() and free_irq() [4.9,120/212] media: firewire: Using uninitialized values in node_probe() [4.9,122/212] xfs: fix reflink quota reservation accounting error [4.9,123/212] PCI: Fix pci_cfg_wait queue locking problem [4.9,125/212] drm: panel: simple: Fix bpc for LG LB070WV8 panel [4.9,126/212] scsi: scsi_debug: Add check for sdebug_max_queue during module init [4.9,127/212] mwifiex: Prevent memory corruption handling keys [4.9,128/212] powerpc/vdso: Fix vdso cpu truncation [4.9,129/212] staging: rtl8192u: fix a dubious looking mask before a shift [4.9,130/212] PCI/ASPM: Add missing newline in sysfs policy [4.9,131/212] drm/imx: tve: fix regulator_disable error path [4.9,132/212] USB: serial: iuu_phoenix: fix led-activity helpers [4.9,133/212] usb: dwc2: Fix error path in gadget registration [4.9,134/212] scsi: mesh: Fix panic after host or bus reset [4.9,136/212] Smack: prevent underflow in smk_set_cipso() [4.9,137/212] power: supply: check if calc_soc succeeded in pm860x_init_battery [4.9,139/212] selftests/powerpc: Fix online CPU selection [4.9,141/212] wl1251: fix always return 0 error [4.9,144/212] fsl/fman: fix dereference null return value [4.9,145/212] fsl/fman: fix unreachable code [4.9,147/212] fsl/fman: fix eth hash table allocation [4.9,152/212] net: Set fput_needed iff FDPUT_FPUT is set [4.9,155/212] ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support [4.9,156/212] ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 [4.9,158/212] crypto: qat - fix double free in qat_uclo_create_batch_init_list [4.9,161/212] fs/minix: dont allow getting deleted inodes [4.9,163/212] ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 [4.9,165/212] parisc: mask out enable and reserved bits from sba imask [4.9,168/212] xen/balloon: make the balloon wait interruptible [4.9,171/212] btrfs: dont allocate anonymous block device for user invisible roots [4.9,173/212] btrfs: fix memory leaks after failure to lookup checksums during inode logging [4.9,176/212] powerpc: Fix circular dependency between percpu.h and mmu.h [4.9,178/212] net: stmmac: dwmac1000: provide multicast filter fallback [4.9,181/212] bcache: allocate meta data pages as compound pages [4.9,182/212] mac80211: fix misplaced while instead of if [4.9,186/212] ftrace: Setup correct FTRACE_FL_REGS flags for module [4.9,189/212] watchdog: f71808e_wdt: remove use of wrong watchdog_info option [4.9,190/212] watchdog: f71808e_wdt: clear watchdog timeout occurred flag [4.9,192/212] mfd: arizona: Ensure 32k clock is put on driver unbind and error [4.9,193/212] USB: serial: ftdi_sio: make process-packet buffer unsigned [4.9,195/212] USB: serial: ftdi_sio: fix break and sysrq handling [4.9,197/212] iommu/omap: Check for failure of a call to omap_iommu_dump_ctx [4.9,199/212] i2c: rcar: slave: only send STOP event when we have been addressed [4.9,203/212] drm/vmwgfx: Fix two list_for_each loop exit tests [4.9,204/212] net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_... [4.9,208/212] ALSA: echoaudio: Fix potential Oops in snd_echo_resume() [4.9,210/212] khugepaged: retract_page_tables() remember to test exit [4.9,211/212] mm: Avoid calling build_all_zonelists_init under hotplug context [4.9,212/212] drm/radeon: fix fb_div check in ni_init_smc_spll_table()

Commit Message

Greg KH Aug. 20, 2020, 9:19 a.m. UTC

From: Sheng Yong <shengyong1@huawei.com>

[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]

Dentry bitmap is not enough to detect incorrect dentries. So this patch
also checks the namelen value of a dentry.

Signed-off-by: Gong Chen <gongchen4@huawei.com>
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/dir.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index 79d138756acb5..9a11b48e55ca2 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -845,7 +845,8 @@  bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
 
 		/* check memory boundary before moving forward */
 		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-		if (unlikely(bit_pos > d->max)) {
+		if (unlikely(bit_pos > d->max ||
+				le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
 			f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
 				"%s: corrupted namelen=%d, run fsck to fix.",
 				__func__, le16_to_cpu(de->name_len));