From d3e8b6b313b8180f96d32faeb744a4088a2caa79 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 9 May 2021 12:11:36 +0200 Subject: [PATCH] 4.19-stable patches added patches: f2fs-fix-to-avoid-out-of-bounds-memory-access.patch ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch --- ...to-avoid-out-of-bounds-memory-access.patch | 58 +++++++++++++++++++ queue-4.19/series | 2 + ...-inode-type-to-judge-if-inode-linked.patch | 46 +++++++++++++++ 3 files changed, 106 insertions(+) create mode 100644 queue-4.19/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch create mode 100644 queue-4.19/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch diff --git a/queue-4.19/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch b/queue-4.19/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..68a65ac96b5 --- /dev/null +++ b/queue-4.19/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch @@ -0,0 +1,58 @@ +From b862676e371715456c9dade7990c8004996d0d9e Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 22 Mar 2021 19:47:30 +0800 +Subject: f2fs: fix to avoid out-of-bounds memory access + +From: Chao Yu + +commit b862676e371715456c9dade7990c8004996d0d9e upstream. + +butt3rflyh4ck reported a bug found by +syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]: + + dump_stack+0xfa/0x151 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232 + __kasan_report mm/kasan/report.c:399 [inline] + kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 + f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline] + current_nat_addr fs/f2fs/node.h:213 [inline] + get_next_nat_page fs/f2fs/node.c:123 [inline] + __flush_nat_entry_set fs/f2fs/node.c:2888 [inline] + f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991 + f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640 + f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807 + f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454 + __sync_filesystem fs/sync.c:39 [inline] + sync_filesystem fs/sync.c:67 [inline] + sync_filesystem+0x1b5/0x260 fs/sync.c:48 + generic_shutdown_super+0x70/0x370 fs/super.c:448 + kill_block_super+0x97/0xf0 fs/super.c:1394 + +The root cause is, if nat entry in checkpoint journal area is corrupted, +e.g. nid of journalled nat entry exceeds max nid value, during checkpoint, +once it tries to flush nat journal to NAT area, get_next_nat_page() may +access out-of-bounds memory on nat_bitmap due to it uses wrong nid value +as bitmap offset. + +[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u + +Reported-and-tested-by: butt3rflyh4ck +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -2654,6 +2654,9 @@ static void remove_nats_in_journal(struc + struct f2fs_nat_entry raw_ne; + nid_t nid = le32_to_cpu(nid_in_journal(journal, i)); + ++ if (f2fs_check_nid_range(sbi, nid)) ++ continue; ++ + raw_ne = nat_in_journal(journal, i); + + ne = __lookup_nat_cache(nm_i, nid); diff --git a/queue-4.19/series b/queue-4.19/series index b0627fe7275..885ecd92cb4 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -81,3 +81,5 @@ alsa-usb-audio-add-db-range-mapping-for-sennheiser-communications-headset-pc-8.p alsa-hda-realtek-add-quirk-for-intel-clevo-pcx0dx.patch btrfs-fix-race-when-picking-most-recent-mod-log-oper.patch arm64-vdso-discard-.note.gnu.property-sections-in-vd.patch +ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch +f2fs-fix-to-avoid-out-of-bounds-memory-access.patch diff --git a/queue-4.19/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch b/queue-4.19/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch new file mode 100644 index 00000000000..473d3b062f9 --- /dev/null +++ b/queue-4.19/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch @@ -0,0 +1,46 @@ +From 3e903315790baf4a966436e7f32e9c97864570ac Mon Sep 17 00:00:00 2001 +From: Guochun Mao +Date: Tue, 16 Mar 2021 16:52:14 +0800 +Subject: ubifs: Only check replay with inode type to judge if inode linked + +From: Guochun Mao + +commit 3e903315790baf4a966436e7f32e9c97864570ac upstream. + +Conside the following case, it just write a big file into flash, +when complete writing, delete the file, and then power off promptly. +Next time power on, we'll get a replay list like: +... +LEB 1105:211344 len 4144 deletion 0 sqnum 428783 key type 1 inode 80 +LEB 15:233544 len 160 deletion 1 sqnum 428785 key type 0 inode 80 +LEB 1105:215488 len 4144 deletion 0 sqnum 428787 key type 1 inode 80 +... +In the replay list, data nodes' deletion are 0, and the inode node's +deletion is 1. In current logic, the file's dentry will be removed, +but inode and the flash space it occupied will be reserved. +User will see that much free space been disappeared. + +We only need to check the deletion value of the following inode type +node of the replay entry. + +Fixes: e58725d51fa8 ("ubifs: Handle re-linking of inodes correctly while recovery") +Cc: stable@vger.kernel.org +Signed-off-by: Guochun Mao +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/ubifs/replay.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/replay.c ++++ b/fs/ubifs/replay.c +@@ -232,7 +232,8 @@ static bool inode_still_linked(struct ub + */ + list_for_each_entry_reverse(r, &c->replay_list, list) { + ubifs_assert(c, r->sqnum >= rino->sqnum); +- if (key_inum(c, &r->key) == key_inum(c, &rino->key)) ++ if (key_inum(c, &r->key) == key_inum(c, &rino->key) && ++ key_type(c, &r->key) == UBIFS_INO_KEY) + return r->deletion == 0; + + } -- 2.47.3