[PATCH] f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()

From: Sahitya Tummala
Date: Tue Sep 17 2019 - 00:50:08 EST

Next message: Biwen Li: "[v2,1/3] soc: fsl: fix that flextimer cannot wakeup system in deep sleep on LS1021A"
Previous message: Yoshihiro Shimoda: "RE: DRM Driver implementation question"
Next in thread: Chao Yu: "Re: [PATCH] f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

end = range.start + range.len;

If the range.start/range.len is a very large value, then end can overflow
in this operation. It results into a crash in get_valid_blocks() when
accessing the invalid range.start segno.

This issue is reported in ioctl fuzz testing.

Signed-off-by: Sahitya Tummala <stummala@xxxxxxxxxxxxxx>
---
fs/f2fs/file.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 5474aaa..c2b4767 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2123,9 +2123,8 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg)
return -EROFS;

end = range.start + range.len;
- if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) {
+ if (end < range.start || range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi))
return -EINVAL;
- }

ret = mnt_want_write_file(filp);
if (ret)
--
Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.

Next message: Biwen Li: "[v2,1/3] soc: fsl: fix that flextimer cannot wakeup system in deep sleep on LS1021A"
Previous message: Yoshihiro Shimoda: "RE: DRM Driver implementation question"
Next in thread: Chao Yu: "Re: [PATCH] f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]