From: Sasha Levin <sashal@kernel.org>
Date: Sat, 1 Aug 2020 14:19:36 +0000 (-0400)
Subject: Fixes for 4.9
X-Git-Tag: v5.7.13~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a212a545c46b1e3a64c27947470c1211feb43ed8;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.9/f2fs-check-if-file-namelen-exceeds-max-value.patch b/queue-4.9/f2fs-check-if-file-namelen-exceeds-max-value.patch
new file mode 100644
index 00000000000..bdfdb5ba5f5
--- /dev/null
+++ b/queue-4.9/f2fs-check-if-file-namelen-exceeds-max-value.patch
@@ -0,0 +1,38 @@
+From 6f0169839df74b476bd7f99485d4255df88a6b0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jan 2019 15:02:34 +0800
+Subject: f2fs: check if file namelen exceeds max value
+
+From: Sheng Yong <shengyong1@huawei.com>
+
+[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]
+
+Dentry bitmap is not enough to detect incorrect dentries. So this patch
+also checks the namelen value of a dentry.
+
+Signed-off-by: Gong Chen <gongchen4@huawei.com>
+Signed-off-by: Sheng Yong <shengyong1@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index 79d138756acb5..9a11b48e55ca2 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -845,7 +845,8 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ 
+ 		/* check memory boundary before moving forward */
+ 		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+-		if (unlikely(bit_pos > d->max)) {
++		if (unlikely(bit_pos > d->max ||
++				le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
+ 			f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
+ 				"%s: corrupted namelen=%d, run fsck to fix.",
+ 				__func__, le16_to_cpu(de->name_len));
+-- 
+2.25.1
+
diff --git a/queue-4.9/f2fs-check-memory-boundary-by-insane-namelen.patch b/queue-4.9/f2fs-check-memory-boundary-by-insane-namelen.patch
new file mode 100644
index 00000000000..eba583a7e33
--- /dev/null
+++ b/queue-4.9/f2fs-check-memory-boundary-by-insane-namelen.patch
@@ -0,0 +1,51 @@
+From ad5d1bb6a33780cf1c04893ccbcfd65985787268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Nov 2018 12:40:30 -0800
+Subject: f2fs: check memory boundary by insane namelen
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 ]
+
+If namelen is corrupted to have very long value, fill_dentries can copy
+wrong memory area.
+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/dir.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index b414892be08b7..79d138756acb5 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -843,6 +843,16 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ 		de_name.name = d->filename[bit_pos];
+ 		de_name.len = le16_to_cpu(de->name_len);
+ 
++		/* check memory boundary before moving forward */
++		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
++		if (unlikely(bit_pos > d->max)) {
++			f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
++				"%s: corrupted namelen=%d, run fsck to fix.",
++				__func__, le16_to_cpu(de->name_len));
++			set_sbi_flag(F2FS_I_SB(d->inode)->sb->s_fs_info, SBI_NEED_FSCK);
++			return -EINVAL;
++		}
++
+ 		if (f2fs_encrypted_inode(d->inode)) {
+ 			int save_len = fstr->len;
+ 			int err;
+@@ -861,7 +871,6 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ 					le32_to_cpu(de->ino), d_type))
+ 			return true;
+ 
+-		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+ 		ctx->pos = start_pos + bit_pos;
+ 	}
+ 	return false;
+-- 
+2.25.1
+
diff --git a/queue-4.9/series b/queue-4.9/series
index d12db57bc4e..900eafd252e 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -13,3 +13,5 @@ random32-update-the-net-random-state-on-interrupt-and-activity.patch
 arm-percpu.h-fix-build-error.patch
 drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch
 drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
+f2fs-check-memory-boundary-by-insane-namelen.patch
+f2fs-check-if-file-namelen-exceeds-max-value.patch