| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250220083302.5902-1-arefev@swemel.ru>
Date: Thu, 20 Feb 2025 11:33:01 +0300
From: Denis Arefev <arefev@...mel.ru>
To: stable@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Jaegeuk Kim <jaegeuk@...nel.org>,
Chao Yu <chao@...nel.org>,
linux-f2fs-devel@...ts.sourceforge.net,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH 5.15] f2fs: fix shift-out-of-bounds in parse_options()
No upstream commit exists for this commit.
Using an arbitrary value that does not fall into the required range as an
argument of the shift operator when outputting an error is wrong in itself.
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x3bf/0x420 lib/ubsan.c:321
parse_options+0x4ad6/0x4ae0 fs/f2fs/super.c:919
f2fs_fill_super+0x321b/0x7c40 fs/f2fs/super.c:4214
mount_bdev+0x2c9/0x3f0 fs/super.c:1443
legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
vfs_get_tree+0x88/0x270 fs/super.c:1573
do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
There is a commit 87161a2b0aed ("f2fs: deprecate io_bits") that completely
removes these strings, but it's not practical to backport it.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Link: syzbot+410500002694f3ff65b1@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=410500002694f3ff65b1
Fixes: ec91538dccd4 ("f2fs: get io size bit from mount option")
Signed-off-by: Denis Arefev <arefev@...mel.ru>
---
fs/f2fs/super.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index f8aaff9b1784..c0fa7d785f3c 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -891,8 +891,8 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount)
if (args->from && match_int(args, &arg))
return -EINVAL;
if (arg <= 0 || arg > __ilog2_u32(BIO_MAX_VECS)) {
- f2fs_warn(sbi, "Not support %d, larger than %d",
- 1 << arg, BIO_MAX_VECS);
+ f2fs_warn(sbi, "Not support 2^%d, invalid argument %d",
+ arg, BIO_MAX_VECS);
return -EINVAL;
}
F2FS_OPTION(sbi).write_io_size_bits = arg;
--
2.43.0
Powered by blists - more mailing lists