From: Eric Biggers <ebiggers@kernel.org>
To: stable@vger.kernel.org
Cc: linux-ext4@vger.kernel.org, stable@kernel.org,
Ye Bin <yebin10@huawei.com>, Theodore Ts'o <tytso@mit.edu>
Subject: [PATCH 5.15 05/10] ext4: fix potential out of bound read in ext4_fc_replay_scan()
Date: Wed, 4 Jan 2023 23:13:54 -0800 [thread overview]
Message-ID: <20230105071359.257952-6-ebiggers@kernel.org> (raw)
In-Reply-To: <20230105071359.257952-1-ebiggers@kernel.org>
From: Ye Bin <yebin10@huawei.com>
commit 1b45cc5c7b920fd8bf72e5a888ec7abeadf41e09 upstream.
For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain
space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read
when mounting corrupt file system image.
ADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this
three tags will read data during scan, tag length couldn't less than data length
which will read.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/r/20220924075233.2315259-4-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
fs/ext4/fast_commit.c | 38 ++++++++++++++++++++++++++++++++++++--
1 file changed, 36 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index fdce08c68cd43..be59f8790ce41 100644
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1907,6 +1907,34 @@ void ext4_fc_replay_cleanup(struct super_block *sb)
kfree(sbi->s_fc_replay_state.fc_modified_inodes);
}
+static inline bool ext4_fc_tag_len_isvalid(struct ext4_fc_tl *tl,
+ u8 *val, u8 *end)
+{
+ if (val + tl->fc_len > end)
+ return false;
+
+ /* Here only check ADD_RANGE/TAIL/HEAD which will read data when do
+ * journal rescan before do CRC check. Other tags length check will
+ * rely on CRC check.
+ */
+ switch (tl->fc_tag) {
+ case EXT4_FC_TAG_ADD_RANGE:
+ return (sizeof(struct ext4_fc_add_range) == tl->fc_len);
+ case EXT4_FC_TAG_TAIL:
+ return (sizeof(struct ext4_fc_tail) <= tl->fc_len);
+ case EXT4_FC_TAG_HEAD:
+ return (sizeof(struct ext4_fc_head) == tl->fc_len);
+ case EXT4_FC_TAG_DEL_RANGE:
+ case EXT4_FC_TAG_LINK:
+ case EXT4_FC_TAG_UNLINK:
+ case EXT4_FC_TAG_CREAT:
+ case EXT4_FC_TAG_INODE:
+ case EXT4_FC_TAG_PAD:
+ default:
+ return true;
+ }
+}
+
/*
* Recovery Scan phase handler
*
@@ -1963,10 +1991,15 @@ static int ext4_fc_replay_scan(journal_t *journal,
}
state->fc_replay_expected_off++;
- for (cur = start; cur < end;
+ for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN;
cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) {
ext4_fc_get_tl(&tl, cur);
val = cur + EXT4_FC_TAG_BASE_LEN;
+ if (!ext4_fc_tag_len_isvalid(&tl, val, end)) {
+ ret = state->fc_replay_num_tags ?
+ JBD2_FC_REPLAY_STOP : -ECANCELED;
+ goto out_err;
+ }
ext4_debug("Scan phase, tag:%s, blk %lld\n",
tag2str(tl.fc_tag), bh->b_blocknr);
switch (tl.fc_tag) {
@@ -2077,7 +2110,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh,
start = (u8 *)bh->b_data;
end = (__u8 *)bh->b_data + journal->j_blocksize - 1;
- for (cur = start; cur < end;
+ for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN;
cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) {
ext4_fc_get_tl(&tl, cur);
val = cur + EXT4_FC_TAG_BASE_LEN;
@@ -2087,6 +2120,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh,
ext4_fc_set_bitmaps_and_counters(sb);
break;
}
+
ext4_debug("Replay phase, tag:%s\n", tag2str(tl.fc_tag));
state->fc_replay_num_tags--;
switch (tl.fc_tag) {
--
2.39.0
next prev parent reply other threads:[~2023-01-05 7:17 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-05 7:13 [PATCH 5.15 00/10] ext4 fast-commit fixes for 5.15-stable Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 01/10] ext4: remove unused enum EXT4_FC_COMMIT_FAILED Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 02/10] ext4: use ext4_debug() instead of jbd_debug() Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 03/10] ext4: introduce EXT4_FC_TAG_BASE_LEN helper Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 04/10] ext4: factor out ext4_fc_get_tl() Eric Biggers
2023-01-05 7:13 ` Eric Biggers [this message]
2023-01-05 7:13 ` [PATCH 5.15 06/10] ext4: disable fast-commit of encrypted dir operations Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 07/10] ext4: don't set up encryption key during jbd2 transaction Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 08/10] ext4: add missing validation of fast-commit record lengths Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 09/10] ext4: fix unaligned memory access in ext4_fc_reserve_space() Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 10/10] ext4: fix off-by-one errors in fast-commit block filling Eric Biggers
2023-01-05 12:01 ` [PATCH 5.15 00/10] ext4 fast-commit fixes for 5.15-stable Greg KH
2023-01-17 22:29 ` Eric Biggers
2023-01-18 6:15 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230105071359.257952-6-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox