diff options
author | Jaegeuk Kim <jaegeuk@kernel.org> | 2018-11-14 23:40:30 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-08-05 11:06:49 +0300 |
commit | bc08d46f010ccf05817c0f53ba4226de20645a36 (patch) | |
tree | 1498d3d0b51cab7b9af10956147161c125304ec6 | |
parent | 00cf08b009e56555e69b5d9d307577856a9a0114 (diff) | |
download | linux-bc08d46f010ccf05817c0f53ba4226de20645a36.tar.xz |
f2fs: check memory boundary by insane namelen
[ Upstream commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 ]
If namelen is corrupted to have very long value, fill_dentries can copy
wrong memory area.
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | fs/f2fs/dir.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c index 4abefd841b6c..7a177b8f227d 100644 --- a/fs/f2fs/dir.c +++ b/fs/f2fs/dir.c @@ -817,6 +817,16 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, de_name.name = d->filename[bit_pos]; de_name.len = le16_to_cpu(de->name_len); + /* check memory boundary before moving forward */ + bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); + if (unlikely(bit_pos > d->max)) { + f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING, + "%s: corrupted namelen=%d, run fsck to fix.", + __func__, le16_to_cpu(de->name_len)); + set_sbi_flag(F2FS_I_SB(d->inode)->sb->s_fs_info, SBI_NEED_FSCK); + return -EINVAL; + } + if (f2fs_encrypted_inode(d->inode)) { int save_len = fstr->len; int err; @@ -835,7 +845,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, le32_to_cpu(de->ino), d_type)) return 1; - bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); ctx->pos = start_pos + bit_pos; } return 0; |