--- /dev/null
+From 15d3042a937c13f5d9244241c7a9c8416ff6e82a Mon Sep 17 00:00:00 2001
+From: Jin Qian <jinqian@google.com>
+Date: Mon, 15 May 2017 10:45:08 -0700
+Subject: f2fs: sanity check checkpoint segno and blkoff
+
+From: Jin Qian <jinqian@google.com>
+
+commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a upstream.
+
+Make sure segno and blkoff read from raw image are valid.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jin Qian <jinqian@google.com>
+[Jaegeuk Kim: adjust minor coding style]
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[AmitP: Found in Android Security bulletin for Aug'17, fixes CVE-2017-10663]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1078,6 +1078,8 @@ static int sanity_check_ckpt(struct f2fs
+ unsigned int total, fsmeta;
+ struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
+ struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
++ unsigned int main_segs, blocks_per_seg;
++ int i;
+
+ total = le32_to_cpu(raw_super->segment_count);
+ fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
+@@ -1089,6 +1091,20 @@ static int sanity_check_ckpt(struct f2fs
+ if (unlikely(fsmeta >= total))
+ return 1;
+
++ main_segs = le32_to_cpu(raw_super->segment_count_main);
++ blocks_per_seg = sbi->blocks_per_seg;
++
++ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
++ if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
++ le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
++ return 1;
++ }
++ for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
++ if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
++ le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
++ return 1;
++ }
++
+ if (unlikely(f2fs_cp_error(sbi))) {
+ f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
+ return 1;
projects / thirdparty / kernel / stable-queue.git / commitdiff
