• Chao Yu's avatar
    f2fs: fix to do sanity check with inode.i_inline_xattr_size · dd6c89b5
    Chao Yu authored
    As Paul Bandha reported in bugzilla:
    
    https://bugzilla.kernel.org/show_bug.cgi?id=202709
    
    When I run the poc on the mounted f2fs img I get a buffer overflow in
    read_inline_xattr due to there being no sanity check on the value of
    i_inline_xattr_size.
    
    I created the img by just modifying the value of i_inline_xattr_size
    in the inode:
    
    i_name                        		[test1.txt]
    i_ext: fofs:0 blkaddr:0 len:0
    i_extra_isize                 		[0x      18 : 24]
    i_inline_xattr_size           		[0x    ffff : 65535]
    i_addr[ofs]                   		[0x       0 : 0]
    
    mkdir /mnt/f2fs
    mount ./f2fs1.img /mnt/f2fs
    gcc poc.c -o poc
    ./poc
    
    int main() {
    	int y = syscall(SYS_listxattr, "/mnt/f2fs/test1.txt", NULL, 0);
    	printf("ret %d", y);
    	printf("errno: %d\n", errno);
    
    }
    
     BUG: KASAN: slab-out-of-bounds in read_inline_xattr+0x18f/0x260
     Read of size 262140 at addr ffff88011035efd8 by task f2fs1poc/3263
    
     CPU: 0 PID: 3263 Comm: f2fs1poc Not tainted 4.18.0-custom #1
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
     Call Trace:
      dump_stack+0x71/0xab
      print_address_description+0x83/0x250
      kasan_report+0x213/0x350
      memcpy+0x1f/0x50
      read_inline_xattr+0x18f/0x260
      read_all_xattrs+0xba/0x190
      f2fs_listxattr+0x9d/0x3f0
      listxattr+0xb2/0xd0
      path_listxattr+0x93/0xe0
      do_syscall_64+0x9d/0x220
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Let's add sanity check for inode.i_inline_xattr_size during f2fs_iget()
    to avoid this issue.
    Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
    Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
    dd6c89b5
inode.c 21.7 KB