[PATCH] fs:exfat fix out of bound bug in __exfat_free_cluster

All of lore.kernel.org
 help / color / mirror / Atom feed

From: tcs.kernel@gmail.com
To: linkinjeon@kernel.org, sj1557.seo@samsung.com,
	linux-fsdevel@vger.kernel.org, zhiqiangyan@tencent.com
Cc: Haimin Zhang <tcs_kernel@tencent.com>
Subject: [PATCH] fs:exfat fix out of bound bug in __exfat_free_cluster
Date: Thu, 26 Aug 2021 22:26:19 +0800	[thread overview]
Message-ID: <1629987979-6301-1-git-send-email-tcs_kernel@tencent.com> (raw)

From: Haimin Zhang <tcs_kernel@tencent.com>

There is an out of bounds bug in the exfat_clear_bitmap function
in fs/exfat/balloc.c. Because the index of vol_amap array isn't
verified. The function could be called by __exfat_free_cluster
function, and the p_chain->dir variable which could be controlled
by user can be large, that will eventually lead to out of bounds
read. So we should check the index before entering the function.

Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
Signed-off-by: yanzhiqiang <zhiqiangyan@tencent.com>
---
 fs/exfat/fatent.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index e949e56..5ce524d 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -157,6 +157,7 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 	struct super_block *sb = inode->i_sb;
 	struct exfat_sb_info *sbi = EXFAT_SB(sb);
 	int cur_cmap_i, next_cmap_i;
+	int chain_i;
 	unsigned int num_clusters = 0;
 	unsigned int clu;
 
@@ -176,6 +177,13 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 		return -EIO;
 	}
 
+	/* check size */
+	chain_i = BITMAP_OFFSET_SECTOR_INDEX(sb,
+		CLUSTER_TO_BITMAP_ENT(p_chain->size + p_chain->dir));
+	if (chain_i > sbi->map_sectors) {
+		exfat_err(sb, "invalid start size (%u)", p_chain->size);
+		return -EIO;
+	}
+
 	clu = p_chain->dir;
 
 	cur_cmap_i = next_cmap_i =
-- 
1.8.3.1

                 reply	other threads:[~2021-08-26 14:26 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e949e56 dfblob:5ce524d )
 OR (
bs:"[PATCH] fs:exfat fix out of bound bug in __exfat_free_cluster" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1629987979-6301-1-git-send-email-tcs_kernel@tencent.com \
    --to=tcs.kernel@gmail.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=sj1557.seo@samsung.com \
    --cc=tcs_kernel@tencent.com \
    --cc=zhiqiangyan@tencent.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.