Chao Yu dd6c89b5f2 f2fs: fix to do sanity check with inode.i_inline_xattr_size ... As Paul Bandha reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202709 When I run the poc on the mounted f2fs img I get a buffer overflow in read_inline_xattr due to there being no sanity check on the value of i_inline_xattr_size. I created the img by just modifying the value of i_inline_xattr_size in the inode: i_name [test1.txt] i_ext: fofs:0 blkaddr:0 len:0 i_extra_isize [0x 18 : 24] i_inline_xattr_size [0x ffff : 65535] i_addr[ofs] [0x 0 : 0] mkdir /mnt/f2fs mount ./f2fs1.img /mnt/f2fs gcc poc.c -o poc ./poc int main() { int y = syscall(SYS_listxattr, "/mnt/f2fs/test1.txt", NULL, 0); printf("ret %d", y); printf("errno: %d\n", errno); } BUG: KASAN: slab-out-of-bounds in read_inline_xattr+0x18f/0x260 Read of size 262140 at addr ffff88011035efd8 by task f2fs1poc/3263 CPU: 0 PID: 3263 Comm: f2fs1poc Not tainted 4.18.0-custom #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014 Call Trace: dump_stack+0x71/0xab print_address_description+0x83/0x250 kasan_report+0x213/0x350 memcpy+0x1f/0x50 read_inline_xattr+0x18f/0x260 read_all_xattrs+0xba/0x190 f2fs_listxattr+0x9d/0x3f0 listxattr+0xb2/0xd0 path_listxattr+0x93/0xe0 do_syscall_64+0x9d/0x220 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Let's add sanity check for inode.i_inline_xattr_size during f2fs_iget() to avoid this issue. Signed-off-by: Chao Yu <yuchao0@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>		2019-03-12 19:02:26 -07:00
..
acl.c	f2fs: use kvmalloc, if kmalloc is failed	2018-12-26 15:16:53 -08:00
acl.h	f2fs: add SPDX license identifiers	2018-09-12 13:07:10 -07:00
checkpoint.c	f2fs: fix to add refcount once page is tagged PG_private	2019-03-12 18:59:19 -07:00
data.c	f2fs: don't trigger read IO for beyond EOF page	2019-03-12 18:59:19 -07:00
debug.c	f2fs: no need to check return value of debugfs_create functions	2019-01-08 20:41:09 -08:00
dir.c	f2fs: fix to add refcount once page is tagged PG_private	2019-03-12 18:59:19 -07:00
extent_cache.c	f2fs: fix to initialize variable to avoid UBSAN/smatch warning	2019-01-22 15:31:26 -08:00
f2fs.h	f2fs: fix to add refcount once page is tagged PG_private	2019-03-12 18:59:19 -07:00
file.c	f2fs: trace f2fs_ioc_shutdown	2019-03-12 18:59:19 -07:00
gc.c	f2fs: check PageWriteback flag for ordered case	2018-12-26 15:16:56 -08:00
gc.h	f2fs: add SPDX license identifiers	2018-09-12 13:07:10 -07:00
hash.c	f2fs: add SPDX license identifiers	2018-09-12 13:07:10 -07:00
inline.c	f2fs: fix potential data inconsistence of checkpoint	2019-03-05 19:58:06 -08:00
inode.c	f2fs: fix to do sanity check with inode.i_inline_xattr_size	2019-03-12 19:02:26 -07:00
Kconfig	fs/*/Kconfig: drop links to 404-compliant http://acl.bestbits.at	2018-01-01 12:45:37 -07:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
namei.c	f2fs: give random value to i_generation	2019-03-12 18:59:18 -07:00
node.c	f2fs: fix to add refcount once page is tagged PG_private	2019-03-12 18:59:19 -07:00
node.h	f2fs: check PageWriteback flag for ordered case	2018-12-26 15:16:56 -08:00
recovery.c	f2fs: check PageWriteback flag for ordered case	2018-12-26 15:16:56 -08:00
segment.c	f2fs: fix to add refcount once page is tagged PG_private	2019-03-12 18:59:19 -07:00
segment.h	f2fs: don't wake up too frequently, if there is lots of IOs	2019-02-15 20:59:45 -08:00
shrinker.c	f2fs: fix sbi->extent_list corruption issue	2018-12-26 15:16:54 -08:00
super.c	f2fs: fix to do sanity check with inode.i_inline_xattr_size	2019-03-12 19:02:26 -07:00
sysfs.c	f2fs: run discard jobs when put_super	2019-02-04 08:55:34 -08:00
trace.c	f2fs: do not use mutex lock in atomic context	2019-03-05 19:58:06 -08:00
trace.h	f2fs: add SPDX license identifiers	2018-09-12 13:07:10 -07:00
xattr.c	f2fs: fix to use kvfree instead of kzfree	2019-03-12 18:59:19 -07:00
xattr.h	f2fs: fix to do sanity check with inode.i_inline_xattr_size	2019-03-12 19:02:26 -07:00