linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] f2fs: check memory boundary by insane namelen
@ 2018-11-15  7:50 Jaegeuk Kim
  2018-11-17  2:27 ` [f2fs-dev] " Chao Yu
  2018-11-23 12:11 ` Sheng Yong
  0 siblings, 2 replies; 5+ messages in thread
From: Jaegeuk Kim @ 2018-11-15  7:50 UTC (permalink / raw)
  To: linux-kernel, linux-f2fs-devel; +Cc: Jaegeuk Kim

If namelen is corrupted to have very long value, fill_dentries can copy
wrong memory area.

Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/dir.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index bacc667950b6..c0c845da12fa 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -808,6 +808,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
 		de_name.name = d->filename[bit_pos];
 		de_name.len = le16_to_cpu(de->name_len);
 
+		/* check memory boundary before moving forward */
+		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+		if (unlikely(bit_pos > d->max)) {
+			f2fs_msg(sbi->sb, KERN_WARNING,
+				"%s: corrupted namelen=%d, run fsck to fix.",
+				__func__, le16_to_cpu(de->name_len));
+			set_sbi_flag(sbi, SBI_NEED_FSCK);
+			err = -EINVAL;
+			goto out;
+		}
+
 		if (f2fs_encrypted_inode(d->inode)) {
 			int save_len = fstr->len;
 
@@ -830,7 +841,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
 		if (readdir_ra)
 			f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
 
-		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
 		ctx->pos = start_pos + bit_pos;
 	}
 out:
-- 
2.19.0.605.g01d371f741-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [f2fs-dev] [PATCH] f2fs: check memory boundary by insane namelen
  2018-11-15  7:50 [PATCH] f2fs: check memory boundary by insane namelen Jaegeuk Kim
@ 2018-11-17  2:27 ` Chao Yu
  2018-11-23 12:11 ` Sheng Yong
  1 sibling, 0 replies; 5+ messages in thread
From: Chao Yu @ 2018-11-17  2:27 UTC (permalink / raw)
  To: Jaegeuk Kim, linux-kernel, linux-f2fs-devel

On 2018-11-15 15:50, Jaegeuk Kim wrote:
> If namelen is corrupted to have very long value, fill_dentries can copy
> wrong memory area.
> 
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

Reviewed-by: Chao Yu <yuchao0@huawei.com>

Thanks,

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [f2fs-dev] [PATCH] f2fs: check memory boundary by insane namelen
  2018-11-15  7:50 [PATCH] f2fs: check memory boundary by insane namelen Jaegeuk Kim
  2018-11-17  2:27 ` [f2fs-dev] " Chao Yu
@ 2018-11-23 12:11 ` Sheng Yong
  2018-11-24  9:59   ` Chao Yu
  2018-11-26 23:25   ` Jaegeuk Kim
  1 sibling, 2 replies; 5+ messages in thread
From: Sheng Yong @ 2018-11-23 12:11 UTC (permalink / raw)
  To: Jaegeuk Kim, linux-kernel, linux-f2fs-devel; +Cc: gongchen (E)

Hi, Jaegeuk and Chao,

On 2018/11/15 15:50, Jaegeuk Kim wrote:
> If namelen is corrupted to have very long value, fill_dentries can copy
> wrong memory area.
> 
Is there any scenario that could hit this corruption? Or this is triggered
by fuzzing injection?

thanks,
Sheng Yong

> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>   fs/f2fs/dir.c | 12 +++++++++++-
>   1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
> index bacc667950b6..c0c845da12fa 100644
> --- a/fs/f2fs/dir.c
> +++ b/fs/f2fs/dir.c
> @@ -808,6 +808,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
>   		de_name.name = d->filename[bit_pos];
>   		de_name.len = le16_to_cpu(de->name_len);
>   
> +		/* check memory boundary before moving forward */
> +		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
> +		if (unlikely(bit_pos > d->max)) {
> +			f2fs_msg(sbi->sb, KERN_WARNING,
> +				"%s: corrupted namelen=%d, run fsck to fix.",
> +				__func__, le16_to_cpu(de->name_len));
> +			set_sbi_flag(sbi, SBI_NEED_FSCK);
> +			err = -EINVAL;
> +			goto out;
> +		}
> +
>   		if (f2fs_encrypted_inode(d->inode)) {
>   			int save_len = fstr->len;
>   
> @@ -830,7 +841,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
>   		if (readdir_ra)
>   			f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
>   
> -		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
>   		ctx->pos = start_pos + bit_pos;
>   	}
>   out:
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [f2fs-dev] [PATCH] f2fs: check memory boundary by insane namelen
  2018-11-23 12:11 ` Sheng Yong
@ 2018-11-24  9:59   ` Chao Yu
  2018-11-26 23:25   ` Jaegeuk Kim
  1 sibling, 0 replies; 5+ messages in thread
From: Chao Yu @ 2018-11-24  9:59 UTC (permalink / raw)
  To: Sheng Yong, Jaegeuk Kim, linux-kernel, linux-f2fs-devel

Hi Sheng,

On 2018/11/23 20:11, Sheng Yong wrote:
> Hi, Jaegeuk and Chao,
> 
> On 2018/11/15 15:50, Jaegeuk Kim wrote:
>> If namelen is corrupted to have very long value, fill_dentries can copy
>> wrong memory area.
>>
> Is there any scenario that could hit this corruption? Or this is triggered

I didn't see such issue in my test, I guess it may be caused by fuzzing test.

Thanks,

> by fuzzing injection?
> 
> thanks,
> Sheng Yong
> 
>> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
>> ---
>>   fs/f2fs/dir.c | 12 +++++++++++-
>>   1 file changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
>> index bacc667950b6..c0c845da12fa 100644
>> --- a/fs/f2fs/dir.c
>> +++ b/fs/f2fs/dir.c
>> @@ -808,6 +808,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
>>   		de_name.name = d->filename[bit_pos];
>>   		de_name.len = le16_to_cpu(de->name_len);
>>   
>> +		/* check memory boundary before moving forward */
>> +		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
>> +		if (unlikely(bit_pos > d->max)) {
>> +			f2fs_msg(sbi->sb, KERN_WARNING,
>> +				"%s: corrupted namelen=%d, run fsck to fix.",
>> +				__func__, le16_to_cpu(de->name_len));
>> +			set_sbi_flag(sbi, SBI_NEED_FSCK);
>> +			err = -EINVAL;
>> +			goto out;
>> +		}
>> +
>>   		if (f2fs_encrypted_inode(d->inode)) {
>>   			int save_len = fstr->len;
>>   
>> @@ -830,7 +841,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
>>   		if (readdir_ra)
>>   			f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
>>   
>> -		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
>>   		ctx->pos = start_pos + bit_pos;
>>   	}
>>   out:
>>
> 
> 
> 
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
> 
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [f2fs-dev] [PATCH] f2fs: check memory boundary by insane namelen
  2018-11-23 12:11 ` Sheng Yong
  2018-11-24  9:59   ` Chao Yu
@ 2018-11-26 23:25   ` Jaegeuk Kim
  1 sibling, 0 replies; 5+ messages in thread
From: Jaegeuk Kim @ 2018-11-26 23:25 UTC (permalink / raw)
  To: Sheng Yong; +Cc: linux-kernel, linux-f2fs-devel, gongchen (E)

On 11/23, Sheng Yong wrote:
> Hi, Jaegeuk and Chao,
> 
> On 2018/11/15 15:50, Jaegeuk Kim wrote:
> > If namelen is corrupted to have very long value, fill_dentries can copy
> > wrong memory area.
> > 
> Is there any scenario that could hit this corruption? Or this is triggered
> by fuzzing injection?

Hi Sheng,

It's from a fuzzing test.

Thanks,

> 
> thanks,
> Sheng Yong
> 
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> > ---
> >   fs/f2fs/dir.c | 12 +++++++++++-
> >   1 file changed, 11 insertions(+), 1 deletion(-)
> > 
> > diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
> > index bacc667950b6..c0c845da12fa 100644
> > --- a/fs/f2fs/dir.c
> > +++ b/fs/f2fs/dir.c
> > @@ -808,6 +808,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
> >   		de_name.name = d->filename[bit_pos];
> >   		de_name.len = le16_to_cpu(de->name_len);
> > +		/* check memory boundary before moving forward */
> > +		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
> > +		if (unlikely(bit_pos > d->max)) {
> > +			f2fs_msg(sbi->sb, KERN_WARNING,
> > +				"%s: corrupted namelen=%d, run fsck to fix.",
> > +				__func__, le16_to_cpu(de->name_len));
> > +			set_sbi_flag(sbi, SBI_NEED_FSCK);
> > +			err = -EINVAL;
> > +			goto out;
> > +		}
> > +
> >   		if (f2fs_encrypted_inode(d->inode)) {
> >   			int save_len = fstr->len;
> > @@ -830,7 +841,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
> >   		if (readdir_ra)
> >   			f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
> > -		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
> >   		ctx->pos = start_pos + bit_pos;
> >   	}
> >   out:
> > 

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-11-26 23:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-15  7:50 [PATCH] f2fs: check memory boundary by insane namelen Jaegeuk Kim
2018-11-17  2:27 ` [f2fs-dev] " Chao Yu
2018-11-23 12:11 ` Sheng Yong
2018-11-24  9:59   ` Chao Yu
2018-11-26 23:25   ` Jaegeuk Kim

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).