--- /dev/null
+From aeb30c3025956c3579c3abf9397c4ce0f30faf8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jan 2019 15:02:34 +0800
+Subject: f2fs: check if file namelen exceeds max value
+
+From: Sheng Yong <shengyong1@huawei.com>
+
+[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]
+
+Dentry bitmap is not enough to detect incorrect dentries. So this patch
+also checks the namelen value of a dentry.
+
+Signed-off-by: Gong Chen <gongchen4@huawei.com>
+Signed-off-by: Sheng Yong <shengyong1@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index 7a177b8f227d2..ff519f7a87847 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -819,7 +819,8 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+
+ /* check memory boundary before moving forward */
+ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+- if (unlikely(bit_pos > d->max)) {
++ if (unlikely(bit_pos > d->max ||
++ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
+ f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
+ "%s: corrupted namelen=%d, run fsck to fix.",
+ __func__, le16_to_cpu(de->name_len));
+--
+2.25.1
+
--- /dev/null
+From a17bdad2eb287f180ae8a561d5143aa1ce24340b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Nov 2018 12:40:30 -0800
+Subject: f2fs: check memory boundary by insane namelen
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 ]
+
+If namelen is corrupted to have very long value, fill_dentries can copy
+wrong memory area.
+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/dir.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index 4abefd841b6c7..7a177b8f227d2 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -817,6 +817,16 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ de_name.name = d->filename[bit_pos];
+ de_name.len = le16_to_cpu(de->name_len);
+
++ /* check memory boundary before moving forward */
++ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
++ if (unlikely(bit_pos > d->max)) {
++ f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
++ "%s: corrupted namelen=%d, run fsck to fix.",
++ __func__, le16_to_cpu(de->name_len));
++ set_sbi_flag(F2FS_I_SB(d->inode)->sb->s_fs_info, SBI_NEED_FSCK);
++ return -EINVAL;
++ }
++
+ if (f2fs_encrypted_inode(d->inode)) {
+ int save_len = fstr->len;
+ int err;
+@@ -835,7 +845,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ le32_to_cpu(de->ino), d_type))
+ return 1;
+
+- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+ ctx->pos = start_pos + bit_pos;
+ }
+ return 0;
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
