f2fs: validate orphan inode entry count

f2fs_recover_orphan_inodes() trusts the orphan block entry_count when
replaying orphan inodes from the checkpoint pack. A corrupted entry_count
larger than F2FS_ORPHANS_PER_BLOCK makes the recovery loop read past the
ino[] array and interpret footer or following data as inode numbers.

On a crafted image, mounting an unpatched kernel can drive orphan recovery
into f2fs_bug_on() and panic the kernel. Validate entry_count before
consuming entries so corrupted checkpoint data fails the mount with
-EFSCORRUPTED and requests fsck instead.

Set ERROR_INCONSISTENT_ORPHAN as well, so the corruption reason can be
recorded in the superblock s_errors[] field. This gives fsck a persistent
hint even though mount-time orphan recovery failure may leave no chance to
persist SBI_NEED_FSCK through a checkpoint.

Cc: stable@kernel.org
Fixes: 127e670abfa7 ("f2fs: add checkpoint operations")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
index c00a6b6ebcbd8ae5ee1ef13e3922bd9a501074ba..064f5b5374237ca2b6dd55f4df837f39802a574b 100644 (file)
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -943,6 +943,7 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info *sbi)
        for (i = 0; i < orphan_blocks; i++) {
                struct folio *folio;
                struct f2fs_orphan_block *orphan_blk;
+               unsigned int entry_count;
 
                folio = f2fs_get_meta_folio(sbi, start_blk + i);
                if (IS_ERR(folio)) {
@@ -951,7 +952,18 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info *sbi)
                }
 
                orphan_blk = folio_address(folio);
-               for (j = 0; j < le32_to_cpu(orphan_blk->entry_count); j++) {
+               entry_count = le32_to_cpu(orphan_blk->entry_count);
+               if (entry_count > F2FS_ORPHANS_PER_BLOCK) {
+                       f2fs_err(sbi, "invalid orphan inode entry count %u",
+                                entry_count);
+                       set_sbi_flag(sbi, SBI_NEED_FSCK);
+                       f2fs_handle_error(sbi, ERROR_INCONSISTENT_ORPHAN);
+                       err = -EFSCORRUPTED;
+                       f2fs_folio_put(folio, true);
+                       goto out;
+               }
+
+               for (j = 0; j < entry_count; j++) {
                        nid_t ino = le32_to_cpu(orphan_blk->ino[j]);
 
                        err = recover_orphan_inode(sbi, ino);

diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
index 829a59399dacf9e065c6e86b0db7ae21dac9d205..bb2b6cd5d5070e9daebc550c09f8600e0fdd9ee4 100644 (file)
--- a/include/linux/f2fs_fs.h
+++ b/include/linux/f2fs_fs.h
@@ -107,6 +107,7 @@ enum f2fs_error {
        ERROR_CORRUPTED_XATTR,
        ERROR_INVALID_NODE_REFERENCE,
        ERROR_INCONSISTENT_NAT,
+       ERROR_INCONSISTENT_ORPHAN,
        ERROR_MAX,
 };