]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9f16d5e)
exfat: fix out-of-bounds access of directory entries
authorYuezhang Mo <Yuezhang.Mo@sony.com>
Mon, 28 Oct 2024 03:23:36 +0000 (11:23 +0800)
committerNamjae Jeon <linkinjeon@kernel.org>
Mon, 25 Nov 2024 08:08:20 +0000 (17:08 +0900)
In the case of the directory size is greater than or equal to
the cluster size, if start_clu becomes an EOF cluster(an invalid
cluster) due to file system corruption, then the directory entry
where ei->hint_femp.eidx hint is outside the directory, resulting
in an out-of-bounds access, which may cause further file system
corruption.

This commit adds a check for start_clu, if it is an invalid cluster,
the file or directory will be treated as empty.

Cc: stable@vger.kernel.org
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Co-developed-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
fs/exfat/namei.c patch | blob | blame | history

diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index 2c4c442293529bf856f1b02daca0247ee633ecfe..98f67e632ad1681bef53bc8407cdedbc691a8c3a 100644 (file)
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -637,14 +637,26 @@ static int exfat_find(struct inode *dir, struct qstr *qname,
        info->size = le64_to_cpu(ep2->dentry.stream.valid_size);
        info->valid_size = le64_to_cpu(ep2->dentry.stream.valid_size);
        info->size = le64_to_cpu(ep2->dentry.stream.size);
+
+       info->start_clu = le32_to_cpu(ep2->dentry.stream.start_clu);
+       if (!is_valid_cluster(sbi, info->start_clu) && info->size) {
+               exfat_warn(sb, "start_clu is invalid cluster(0x%x)",
+                               info->start_clu);
+               info->size = 0;
+               info->valid_size = 0;
+       }
+
+       if (info->valid_size > info->size) {
+               exfat_warn(sb, "valid_size(%lld) is greater than size(%lld)",
+                               info->valid_size, info->size);
+               info->valid_size = info->size;
+       }
+
        if (info->size == 0) {
                info->flags = ALLOC_NO_FAT_CHAIN;
                info->start_clu = EXFAT_EOF_CLUSTER;
-       } else {
+       } else
                info->flags = ep2->dentry.stream.flags;
-               info->start_clu =
-                       le32_to_cpu(ep2->dentry.stream.start_clu);
-       }
 
        exfat_get_entry_time(sbi, &info->crtime,
                             ep->dentry.file.create_tz,
A mirror of Linus' kernel repository