android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
958b0ee23f
android_kernel_xiaomi_sm8450/fs/ext4
History
Luís Henriques 958b0ee23f ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 
commit 29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0 upstream.

When walking through an inode extents, the ext4_ext_binsearch_idx() function
assumes that the extent header has been previously validated.  However, there
are no checks that verify that the number of entries (eh->eh_entries) is
non-zero when depth is > 0.  And this will lead to problems because the
EXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:

[  135.245946] ------------[ cut here ]------------
[  135.247579] kernel BUG at fs/ext4/extents.c:2258!
[  135.249045] invalid opcode: 0000 [#1] PREEMPT SMP
[  135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4
[  135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[  135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0
[  135.256475] Code:
[  135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246
[  135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023
[  135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c
[  135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c
[  135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024
[  135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000
[  135.272394] FS:  00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
[  135.274510] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0
[  135.277952] Call Trace:
[  135.278635]  <TASK>
[  135.279247]  ? preempt_count_add+0x6d/0xa0
[  135.280358]  ? percpu_counter_add_batch+0x55/0xb0
[  135.281612]  ? _raw_read_unlock+0x18/0x30
[  135.282704]  ext4_map_blocks+0x294/0x5a0
[  135.283745]  ? xa_load+0x6f/0xa0
[  135.284562]  ext4_mpage_readpages+0x3d6/0x770
[  135.285646]  read_pages+0x67/0x1d0
[  135.286492]  ? folio_add_lru+0x51/0x80
[  135.287441]  page_cache_ra_unbounded+0x124/0x170
[  135.288510]  filemap_get_pages+0x23d/0x5a0
[  135.289457]  ? path_openat+0xa72/0xdd0
[  135.290332]  filemap_read+0xbf/0x300
[  135.291158]  ? _raw_spin_lock_irqsave+0x17/0x40
[  135.292192]  new_sync_read+0x103/0x170
[  135.293014]  vfs_read+0x15d/0x180
[  135.293745]  ksys_read+0xa1/0xe0
[  135.294461]  do_syscall_64+0x3c/0x80
[  135.295284]  entry_SYSCALL_64_after_hwframe+0x46/0xb0

This patch simply adds an extra check in __ext4_ext_check(), verifying that
eh_entries is not 0 when eh_depth is > 0.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=215941
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216283
Cc: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Signed-off-by: Luís Henriques <lhenriques@suse.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20220822094235.2690-1-lhenriques@suse.de
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-09-28 11:10:41 +02:00
..
acl.c ext4: main fast-commit commit path 2020-10-21 23:22:37 -04:00
acl.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
balloc.c ext4: shrink race window in ext4_should_retry_alloc() 2021-04-07 15:00:03 +02:00
bitmap.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
block_validity.c ext4: rename system_blks to s_system_blks inside ext4_sb_info 2020-10-18 10:36:59 -04:00
dir.c ext4: fix potential infinite loop in ext4_dx_readdir() 2021-10-06 15:56:02 +02:00
ext4_extents.h ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max 2020-06-03 23:16:49 -04:00
ext4_jbd2.c ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits' 2022-01-27 10:54:28 +01:00
ext4_jbd2.h ext4: drop ext4_journal_free_reserved() 2020-06-03 23:16:53 -04:00
ext4.h ext4: only allow test_dummy_encryption when supported 2022-06-09 10:21:31 +02:00
extents_status.c ext4: remove check for zero nr_to_scan in ext4_es_scan() 2021-07-14 16:55:41 +02:00
extents_status.h ext4: fix extent_status trace points 2020-01-25 02:03:03 -05:00
extents.c ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 2022-09-28 11:10:41 +02:00
fast_commit.c ext4: fix incorrect type issue during replay_del_range 2022-02-08 18:30:41 +01:00
fast_commit.h ext4: fix fast commit alignment issues 2021-06-10 13:39:26 +02:00
file.c ext4: Fix occasional generic/418 failure 2021-05-11 14:47:38 +02:00
fsmap.c treewide: Change list_sort to use const pointers 2021-09-30 10:11:04 +02:00
fsmap.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
fsync.c ext4: make s_mount_flags modifications atomic 2020-11-06 23:01:05 -05:00
hash.c ext4: use generic casefolding support 2020-10-28 13:43:13 -04:00
ialloc.c ext4: fix avefreec in find_group_orlov 2021-07-14 16:55:41 +02:00
indirect.c ext4: use ext4_sb_bread() instead of sb_bread() 2020-10-18 10:37:14 -04:00
inline.c ext4: correct max_inline_xattr_value_size computing 2022-08-21 15:16:24 +02:00
inode-test.c kunit: allow kunit tests to be loaded as a module 2020-01-09 16:42:29 -07:00
inode.c ext4: correct the misjudgment in ext4_iget_extra_inode 2022-08-21 15:16:24 +02:00
ioctl.c ext4: avoid trim error on fs with small groups 2022-01-27 10:54:04 +01:00
Kconfig ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it 2021-03-04 11:38:15 +01:00
Makefile ext4 / jbd2: add fast commit initialization 2020-10-21 23:22:26 -04:00
mballoc.c ext4: fix bug_on ext4_mb_use_inode_pa 2022-06-22 14:13:19 +02:00
mballoc.h ext4: limit the length of per-inode prealloc list 2020-08-19 12:04:36 -04:00
migrate.c ext4: recover csum seed of tmp_inode after migrating to extents 2022-08-21 15:16:03 +02:00
mmp.c ext4: fix possible UAF when remounting r/o a mmp-protected file system 2021-11-02 19:48:18 +01:00
move_extent.c ext4: use common helpers in all places reading metadata buffers 2020-10-18 10:37:14 -04:00
namei.c ext4: avoid remove directory when directory is corrupted 2022-08-25 11:38:18 +02:00
page-io.c ext4: fix symlink file size not match to file content 2022-04-27 13:53:56 +02:00
readpage.c Improvements to ext4's block allocator performance for very large file 2020-08-21 11:03:38 -07:00
resize.c ext4: avoid resizing to a partial cluster size 2022-08-25 11:38:18 +02:00
super.c ext4: only allow test_dummy_encryption when supported 2022-06-09 10:21:31 +02:00
symlink.c ext4: report correct st_size for encrypted symlinks 2021-09-08 08:48:59 +02:00
sysfs.c ext4: shrink race window in ext4_should_retry_alloc() 2021-04-07 15:00:03 +02:00
truncate.h ext4: handle layout changes to pinned DAX mappings 2018-07-29 17:00:22 -04:00
verity.c ext4: fix error handling in ext4_end_enable_verity() 2021-03-25 09:04:17 +01:00
xattr_hurd.c ext4: support xattr gnu.* namespace for the Hurd 2020-06-12 13:23:34 -04:00
xattr_security.c ext4: use XATTR_CREATE in ext4_initxattrs() 2018-05-10 11:52:14 -04:00
xattr_trusted.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xattr_user.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xattr.c ext4: fix use-after-free in ext4_xattr_set_entry 2022-08-21 15:16:23 +02:00
xattr.h ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h 2022-08-21 15:16:23 +02:00