<div dir="ltr"><div dir="ltr" class="gmail_attr">On Tue, Feb 8, 2022 at 12:20 PM Joseph Salisbury <<a href="mailto:joseph.salisbury@canonical.com">joseph.salisbury@canonical.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Chao Yu <<a href="mailto:yuchao0@huawei.com" target="_blank">yuchao0@huawei.com</a>><br>
<br>
butt3rflyh4ck <<a href="mailto:butterflyhuangxx@gmail.com" target="_blank">butterflyhuangxx@gmail.com</a>> reported a bug found by<br>
syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:<br>
<br>
 dump_stack+0xfa/0x151 lib/dump_stack.c:120<br>
 print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232<br>
 __kasan_report mm/kasan/report.c:399 [inline]<br>
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416<br>
 f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]<br>
 current_nat_addr fs/f2fs/node.h:213 [inline]<br>
 get_next_nat_page fs/f2fs/node.c:123 [inline]<br>
 __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]<br>
 f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991<br>
 f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640<br>
 f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807<br>
 f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454<br>
 __sync_filesystem fs/sync.c:39 [inline]<br>
 sync_filesystem fs/sync.c:67 [inline]<br>
 sync_filesystem+0x1b5/0x260 fs/sync.c:48<br>
 generic_shutdown_super+0x70/0x370 fs/super.c:448<br>
 kill_block_super+0x97/0xf0 fs/super.c:1394<br>
<br>
The root cause is, if nat entry in checkpoint journal area is corrupted,<br>
e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,<br>
once it tries to flush nat journal to NAT area, get_next_nat_page() may<br>
access out-of-bounds memory on nat_bitmap due to it uses wrong nid value<br>
as bitmap offset.<br>
<br>
[1] <a href="https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u" rel="noreferrer" target="_blank">https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u</a><br>
<br>
Reported-and-tested-by: butt3rflyh4ck <<a href="mailto:butterflyhuangxx@gmail.com" target="_blank">butterflyhuangxx@gmail.com</a>><br>
Signed-off-by: Chao Yu <<a href="mailto:yuchao0@huawei.com" target="_blank">yuchao0@huawei.com</a>><br>
Signed-off-by: Jaegeuk Kim <<a href="mailto:jaegeuk@kernel.org" target="_blank">jaegeuk@kernel.org</a>><br>
(backported from commit b862676e371715456c9dade7990c8004996d0d9e)<br>
[jsalisbury: Preserved name of function check_nid_range() due to later commit<br>
 4d57b86dd86404fd8bb4f87d277d5a86a7fe537e, which changes name to<br>
 f2fs_check_nid_range]<br>
CVE-2021-3506<br>
Signed-off-by: Joseph Salisbury <<a href="mailto:joseph.salisbury@canonical.com" target="_blank">joseph.salisbury@canonical.com</a>><br>
---<br>
 fs/f2fs/node.c | 3 +++<br>
 1 file changed, 3 insertions(+)<br>
<br>
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c<br>
index 70428dd6f797..1b1f061ea6e1 100644<br>
--- a/fs/f2fs/node.c<br>
+++ b/fs/f2fs/node.c<br>
@@ -2406,6 +2406,9 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi)<br>
                struct f2fs_nat_entry raw_ne;<br>
                nid_t nid = le32_to_cpu(nid_in_journal(journal, i));<br>
<br>
+               if (check_nid_range(sbi, nid))<br>
+                       continue;<br>
+<br>
                raw_ne = nat_in_journal(journal, i);<br>
<br>
                ne = __lookup_nat_cache(nm_i, nid);<br>
-- <br>
2.32.0<br>
<br></blockquote><div><br></div><div>Acked-by:  Luke Nowakowski-Krijger <<a href="mailto:luke.nowakowskikrijger@canonical.com" target="_blank">luke.nowakowskikrijger@canonical.com</a>><font color="#888888"><div><br></div><div>- Luke<br></div><div><br></div></font></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
-- <br>
kernel-team mailing list<br>
<a href="mailto:kernel-team@lists.ubuntu.com" target="_blank">kernel-team@lists.ubuntu.com</a><br>
<a href="https://lists.ubuntu.com/mailman/listinfo/kernel-team" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/kernel-team</a><br>
</blockquote></div></div>