archive mirror
 help / color / mirror / Atom feed
From: Chao Yu <>
To: <>
Cc: <>,
	<>, <>,
	Chao Yu <>,
	butt3rflyh4ck <>
Subject: [PATCH] f2fs: fix to avoid out-of-bounds memory access
Date: Mon, 22 Mar 2021 19:47:30 +0800	[thread overview]
Message-ID: <> (raw)

butt3rflyh4ck <> reported a bug found by
syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:

 dump_stack+0xfa/0x151 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
 f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
 current_nat_addr fs/f2fs/node.h:213 [inline]
 get_next_nat_page fs/f2fs/node.c:123 [inline]
 __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
 f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
 f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
 f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
 f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
 __sync_filesystem fs/sync.c:39 [inline]
 sync_filesystem fs/sync.c:67 [inline]
 sync_filesystem+0x1b5/0x260 fs/sync.c:48
 generic_shutdown_super+0x70/0x370 fs/super.c:448
 kill_block_super+0x97/0xf0 fs/super.c:1394

The root cause is, if nat entry in checkpoint journal area is corrupted,
e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
once it tries to flush nat journal to NAT area, get_next_nat_page() may
access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
as bitmap offset.


Reported-by: butt3rflyh4ck <>
Signed-off-by: Chao Yu <>
 fs/f2fs/node.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index caf43970510e..8311b2367c7c 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -2790,6 +2790,9 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi)
 		struct f2fs_nat_entry raw_ne;
 		nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
+		if (f2fs_check_nid_range(sbi, nid))
+			continue;
 		raw_ne = nat_in_journal(journal, i);
 		ne = __lookup_nat_cache(nm_i, nid);

             reply	other threads:[~2021-03-22 11:48 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-22 11:47 Chao Yu [this message]
2021-03-23  5:48 ` [PATCH] f2fs: fix to avoid out-of-bounds memory access butt3rflyh4ck
2021-03-23  6:43   ` Chao Yu
2021-04-20 17:43     ` [f2fs-dev] " Salvatore Bonaccorso
2021-04-20 18:27       ` Jaegeuk Kim
2021-04-20 18:34         ` butt3rflyh4ck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).