system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-17 08:46:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/fs/f2fs
History
Chao Yu f41ee8b91c f2fs: fix to do sanity check on curseg->alloc_type 
As Wenqing Liu reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215657

- Overview
UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image

- Reproduce
tested on kernel 5.17-rc4, 5.17-rc6

1. mkdir test_crash
2. cd test_crash
3. unzip tmp2.zip
4. mkdir mnt
5. ./single_test.sh f2fs 2

- Kernel dump
[   46.434454] loop0: detected capacity change from 0 to 131072
[   46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9
[   46.738319] ================================================================================
[   46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2
[   46.738475] index 231 is out of range for type 'unsigned int [2]'
[   46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1
[   46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   46.738551] Call Trace:
[   46.738556]  <TASK>
[   46.738563]  dump_stack_lvl+0x47/0x5c
[   46.738581]  ubsan_epilogue+0x5/0x50
[   46.738592]  __ubsan_handle_out_of_bounds+0x68/0x80
[   46.738604]  f2fs_allocate_data_block+0xdff/0xe60 [f2fs]
[   46.738819]  do_write_page+0xef/0x210 [f2fs]
[   46.738934]  f2fs_do_write_node_page+0x3f/0x80 [f2fs]
[   46.739038]  __write_node_page+0x2b7/0x920 [f2fs]
[   46.739162]  f2fs_sync_node_pages+0x943/0xb00 [f2fs]
[   46.739293]  f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]
[   46.739405]  kill_f2fs_super+0x125/0x150 [f2fs]
[   46.739507]  deactivate_locked_super+0x60/0xc0
[   46.739517]  deactivate_super+0x70/0xb0
[   46.739524]  cleanup_mnt+0x11a/0x200
[   46.739532]  __cleanup_mnt+0x16/0x20
[   46.739538]  task_work_run+0x67/0xa0
[   46.739547]  exit_to_user_mode_prepare+0x18c/0x1a0
[   46.739559]  syscall_exit_to_user_mode+0x26/0x40
[   46.739568]  do_syscall_64+0x46/0xb0
[   46.739584]  entry_SYSCALL_64_after_hwframe+0x44/0xae

The root cause is we missed to do sanity check on curseg->alloc_type,
result in out-of-bound accessing on sbi->block_count[] array, fix it.

Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2022-03-03 18:19:41 -08:00
..
acl.c f2fs: support idmapped mounts 2022-02-12 06:20:46 -08:00
acl.h vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
checkpoint.c f2fs: add a way to limit roll forward recovery time 2022-02-12 05:58:18 -08:00
compress.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
data.c f2fs: fix to avoid potential deadlock 2022-03-03 13:30:48 -08:00
debug.c f2fs: add a way to limit roll forward recovery time 2022-02-12 05:58:18 -08:00
dir.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
extent_cache.c f2fs: support fault injection for f2fs_kmem_cache_alloc() 2021-08-17 11:59:05 -07:00
f2fs.h f2fs: Restore rwsem lockdep support 2022-02-25 11:11:31 -08:00
file.c f2fs: support idmapped mounts 2022-02-12 06:20:46 -08:00
gc.c f2fs: fix to unlock page correctly in error path of is_alive() 2022-02-03 22:21:28 -08:00
gc.h f2fs: introduce gc_merge mount option 2021-03-30 18:48:56 -07:00
hash.c f2fs: Handle casefolding with Encryption 2020-12-02 22:00:21 -08:00
inline.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
inode.c f2fs: fix missing free nid in f2fs_handle_failed_inode 2022-02-25 11:11:20 -08:00
iostat.c f2fs: use iomap for direct I/O 2021-12-10 15:48:30 -08:00
iostat.h f2fs: introduce periodic iostat io latency traces 2021-08-23 10:25:51 -07:00
Kconfig f2fs: implement iomap operations 2021-12-04 10:53:35 -08:00
Makefile f2fs: separate out iostat feature 2021-08-23 10:25:51 -07:00
namei.c f2fs: support idmapped mounts 2022-02-12 06:20:46 -08:00
node.c f2fs: fix to avoid potential deadlock 2022-03-03 13:30:48 -08:00
node.h f2fs: add a way to limit roll forward recovery time 2022-02-12 05:58:18 -08:00
recovery.c f2fs: add a way to limit roll forward recovery time 2022-02-12 05:58:18 -08:00
segment.c f2fs: fix to do sanity check on curseg->alloc_type 2022-03-03 18:19:41 -08:00
segment.h f2fs: introduce F2FS_IPU_HONOR_OPU_WRITE ipu policy 2022-02-07 11:28:35 -08:00
shrinker.c f2fs: avoid race condition for shrinker count 2020-12-03 00:59:26 -08:00
super.c f2fs: quota: fix loop condition at f2fs_quota_sync() 2022-02-25 11:11:31 -08:00
sysfs.c f2fs: add a way to limit roll forward recovery time 2022-02-12 05:58:18 -08:00
verity.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
xattr.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
xattr.h f2fs: code cleanup by removing ifdef macro surrounding 2020-05-26 18:56:10 -07:00