[PATCH] fs:exfat fix out of bound bug in __exfat_free_cluster

* [PATCH] fs:exfat fix out of bound bug in __exfat_free_cluster
@ 2021-08-26 14:26 tcs.kernel
  0 siblings, 0 replies; only message in thread
From: tcs.kernel @ 2021-08-26 14:26 UTC (permalink / raw)
  To: linkinjeon, sj1557.seo, linux-fsdevel, zhiqiangyan; +Cc: Haimin Zhang

From: Haimin Zhang <tcs_kernel@tencent.com>

There is an out of bounds bug in the exfat_clear_bitmap function
in fs/exfat/balloc.c. Because the index of vol_amap array isn't
verified. The function could be called by __exfat_free_cluster
function, and the p_chain->dir variable which could be controlled
by user can be large, that will eventually lead to out of bounds
read. So we should check the index before entering the function.

Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
Signed-off-by: yanzhiqiang <zhiqiangyan@tencent.com>
---
 fs/exfat/fatent.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index e949e56..5ce524d 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -157,6 +157,7 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 	struct super_block *sb = inode->i_sb;
 	struct exfat_sb_info *sbi = EXFAT_SB(sb);
 	int cur_cmap_i, next_cmap_i;
+	int chain_i;
 	unsigned int num_clusters = 0;
 	unsigned int clu;
 
@@ -176,6 +177,13 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 		return -EIO;
 	}
 
+	/* check size */
+	chain_i = BITMAP_OFFSET_SECTOR_INDEX(sb,
+		CLUSTER_TO_BITMAP_ENT(p_chain->size + p_chain->dir));
+	if (chain_i > sbi->map_sectors) {
+		exfat_err(sb, "invalid start size (%u)", p_chain->size);
+		return -EIO;
+	}
+
 	clu = p_chain->dir;
 
 	cur_cmap_i = next_cmap_i =
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] only message in thread