[SRU][Xenial][PATCH 1/1] f2fs: fix to avoid out-of-bounds memory access

Joseph Salisbury joseph.salisbury at canonical.com
Tue Feb 8 20:16:10 UTC 2022 

From: Chao Yu <yuchao0 at huawei.com>

butt3rflyh4ck <butterflyhuangxx at gmail.com> reported a bug found by
syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:

 dump_stack+0xfa/0x151 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
 f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
 current_nat_addr fs/f2fs/node.h:213 [inline]
 get_next_nat_page fs/f2fs/node.c:123 [inline]
 __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
 f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
 f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
 f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
 f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
 __sync_filesystem fs/sync.c:39 [inline]
 sync_filesystem fs/sync.c:67 [inline]
 sync_filesystem+0x1b5/0x260 fs/sync.c:48
 generic_shutdown_super+0x70/0x370 fs/super.c:448
 kill_block_super+0x97/0xf0 fs/super.c:1394

The root cause is, if nat entry in checkpoint journal area is corrupted,
e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
once it tries to flush nat journal to NAT area, get_next_nat_page() may
access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
as bitmap offset.

[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u

Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx at gmail.com>
Signed-off-by: Chao Yu <yuchao0 at huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk at kernel.org>
(backported from commit b862676e371715456c9dade7990c8004996d0d9e)
[jsalisbury: context adjustment because of missing commit
 dfc08a12e49a64f97d8b474da1d7745230cec5eb
 Preserved name of function check_nid_range() due to missing commit
 4d57b86dd86404fd8bb4f87d277d5a86a7fe537e, which changes name to
 f2fs_check_nid_range]
CVE-2021-3506
Signed-off-by: Joseph Salisbury <joseph.salisbury at canonical.com>
---
 fs/f2fs/node.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 582373849332..b9c72ea60844 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1869,6 +1869,9 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi)
 		struct f2fs_nat_entry raw_ne;
 		nid_t nid = le32_to_cpu(nid_in_journal(sum, i));
 
+		if (check_nid_range(sbi, nid))
+			continue;
+
 		raw_ne = nat_in_journal(sum, i);
 
 		ne = __lookup_nat_cache(nm_i, nid);
-- 
2.32.0

More information about the kernel-team mailing list