| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Dec 2020 23:43:22 +0530
From: Anant Thazhemadam <anant.thazhemadam@...il.com>
To: Jaegeuk Kim <jaegeuk@...nel.org>, Chao Yu <chao@...nel.org>
Cc: linux-f2fs-devel@...ts.sourceforge.net,
linux-kernel@...r.kernel.org,
Anant Thazhemadam <anant.thazhemadam@...il.com>,
syzbot+ca9a785f8ac472085994@...kaller.appspotmail.com
Subject: [PATCH] fs: f2fs: fix potential shift-out-of-bounds error in sanity_check_raw_super()
In sanity_check_raw_super(), if
1 << le32_to_cpu(raw_super->log_blocksize) != F2FS_BLKSIZE, then the
block size is deemed to be invalid.
syzbot triggered a shift-out-of-bounds bug by assigning a value of 59 to
le32_to_cpu(raw_super->log_blocksize).
Although the value assigned itself isn't of much significance, this goes
to show that even if the block size is invalid,
le32_to_cpu(raw_super->log_blocksize) can be potentially evaluated to a
value for which the shift exponent becomes too large for the unsigned
int.
Since 1 << le32_to_cpu(raw_super->log_blocksize) must be = 4096 for a
valid block size, le32_to_cpu(raw_super->log_blocksize) must equal 12.
Replacing the existing check with the more direct sanity check
resolves this bug.
Reported-by: syzbot+ca9a785f8ac472085994@...kaller.appspotmail.com
Tested-by: syzbot+ca9a785f8ac472085994@...kaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
---
fs/f2fs/super.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 33808c397580..4bc7372af43f 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2775,7 +2775,6 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
block_t total_sections, blocks_per_seg;
struct f2fs_super_block *raw_super = (struct f2fs_super_block *)
(bh->b_data + F2FS_SUPER_OFFSET);
- unsigned int blocksize;
size_t crc_offset = 0;
__u32 crc = 0;
@@ -2802,10 +2801,8 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
}
/* Currently, support only 4KB block size */
- blocksize = 1 << le32_to_cpu(raw_super->log_blocksize);
- if (blocksize != F2FS_BLKSIZE) {
- f2fs_info(sbi, "Invalid blocksize (%u), supports only 4KB",
- blocksize);
+ if (le32_to_cpu(raw_super->log_blocksize) != 12) {
+ f2fs_info(sbi, "Invalid blocksize. Only 4KB supported");
return -EFSCORRUPTED;
}
--
2.25.1
Powered by blists - more mailing lists