From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Aug 2017 16:23:47 +0000 (-0700)
Subject: 4.4-stable patches
X-Git-Tag: v4.12.6~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f2481e06f3dda33de2f99e9ed57071f8e933985f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
---

diff --git a/queue-4.4/f2fs-sanity-check-checkpoint-segno-and-blkoff.patch b/queue-4.4/f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
new file mode 100644
index 00000000000..230c058c1ec
--- /dev/null
+++ b/queue-4.4/f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
@@ -0,0 +1,54 @@
+From 15d3042a937c13f5d9244241c7a9c8416ff6e82a Mon Sep 17 00:00:00 2001
+From: Jin Qian <jinqian@google.com>
+Date: Mon, 15 May 2017 10:45:08 -0700
+Subject: f2fs: sanity check checkpoint segno and blkoff
+
+From: Jin Qian <jinqian@google.com>
+
+commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a upstream.
+
+Make sure segno and blkoff read from raw image are valid.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jin Qian <jinqian@google.com>
+[Jaegeuk Kim: adjust minor coding style]
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[AmitP: Found in Android Security bulletin for Aug'17, fixes CVE-2017-10663]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1078,6 +1078,8 @@ static int sanity_check_ckpt(struct f2fs
+ 	unsigned int total, fsmeta;
+ 	struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
+ 	struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
++	unsigned int main_segs, blocks_per_seg;
++	int i;
+ 
+ 	total = le32_to_cpu(raw_super->segment_count);
+ 	fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
+@@ -1089,6 +1091,20 @@ static int sanity_check_ckpt(struct f2fs
+ 	if (unlikely(fsmeta >= total))
+ 		return 1;
+ 
++	main_segs = le32_to_cpu(raw_super->segment_count_main);
++	blocks_per_seg = sbi->blocks_per_seg;
++
++	for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
++		if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
++			le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
++			return 1;
++	}
++	for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
++		if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
++			le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
++			return 1;
++	}
++
+ 	if (unlikely(f2fs_cp_error(sbi))) {
+ 		f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
+ 		return 1;
diff --git a/queue-4.4/series b/queue-4.4/series
index d28c9d50734..0b95b06a632 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -17,3 +17,4 @@ iscsi-target-fix-delayed-logout-processing-greater-than-seconds_for_logout_comp.
 iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch
 mm-mprotect-flush-tlb-if-potentially-racing-with-a-parallel-reclaim-leaving-stale-tlb-entries.patch
 media-lirc-lirc_get_rec_resolution-should-return-microseconds.patch
+f2fs-sanity-check-checkpoint-segno-and-blkoff.patch