android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dcbe6803ff
android_kernel_samsung_sm8650/fs/erofs
History
Gao Xiang dcbe6803ff erofs: fix buffer copy overflow of ztailpacking feature 
I got some KASAN report as below:

[   46.959738] ==================================================================
[   46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370
[   46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188
...
[   46.960430] Call Trace:
[   46.960430]  <TASK>
[   46.960430]  dump_stack_lvl+0x41/0x5e
[   46.960430]  print_report.cold+0xb2/0x6b7
[   46.960430]  ? z_erofs_shifted_transform+0x2bd/0x370
[   46.960430]  kasan_report+0x8a/0x140
[   46.960430]  ? z_erofs_shifted_transform+0x2bd/0x370
[   46.960430]  kasan_check_range+0x14d/0x1d0
[   46.960430]  memcpy+0x20/0x60
[   46.960430]  z_erofs_shifted_transform+0x2bd/0x370
[   46.960430]  z_erofs_decompress_pcluster+0xaae/0x1080

The root cause is that the tail pcluster won't be a complete filesystem
block anymore. So if ztailpacking is used, the second part of an
uncompressed tail pcluster may not be ``rq->pageofs_out``.

Fixes: ab749badf9 ("erofs: support unaligned data decompression")
Fixes: cecf864d3d ("erofs: support inline data decompression")
Reviewed-by: Yue Hu <huyue2@coolpad.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/r/20220512115833.24175-1-hsiangkao@linux.alibaba.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2022-05-17 23:38:14 +08:00
..
compress.h erofs: introduce z_erofs_fixup_insize 2021-12-29 06:42:07 +08:00
data.c erofs: use meta buffers for reading directories 2022-03-17 00:09:02 +08:00
decompressor_lzma.c erofs: introduce z_erofs_fixup_insize 2021-12-29 06:42:07 +08:00
decompressor.c erofs: fix buffer copy overflow of ztailpacking feature 2022-05-17 23:38:14 +08:00
dir.c erofs: use meta buffers for reading directories 2022-03-17 00:09:02 +08:00
erofs_fs.h erofs: refine on-disk definition comments 2022-05-17 23:38:13 +08:00
inode.c erofs: remove obsoleted comments 2022-05-17 23:38:13 +08:00
internal.h erofs: remove obsoleted comments 2022-05-17 23:38:13 +08:00
Kconfig erofs: lzma compression support 2021-10-19 23:44:30 +08:00
Makefile erofs: add sysfs interface 2021-12-08 09:40:37 +08:00
namei.c erofs: use meta buffers for inode lookup 2022-03-17 00:09:02 +08:00
pcpubuf.c erofs: get rid of ->lru usage 2021-10-25 08:22:59 +08:00
super.c Filesystem folio changes for 5.18 2022-03-22 18:26:56 -07:00
sysfs.c fs: erofs: add sanity check for kobject in erofs_unregister_sysfs 2022-03-17 00:09:02 +08:00
tagptr.h erofs: clean up file headers & footers 2021-06-08 00:41:24 +08:00
utils.c erofs: fix deadlock when shrink erofs slab 2021-11-23 14:58:16 +08:00
xattr.c erofs: use meta buffers for xattr operations 2022-01-04 23:47:08 +08:00
xattr.h erofs: use meta buffers for xattr operations 2022-01-04 23:47:08 +08:00
zdata.c erofs: fix use-after-free of on-stack io[] 2022-04-15 23:51:43 +08:00
zdata.h erofs: fix use-after-free of on-stack io[] 2022-04-15 23:51:43 +08:00
zmap.c erofs: clean up z_erofs_extent_lookback 2022-03-17 00:08:48 +08:00
zpvec.h erofs: fix unsafe pagevec reuse of hooked pclusters 2021-11-08 10:02:10 +08:00