[PATCH] f2fs-tools: fix heap-buffer-overflow of reading SSA from checkpoint area

Next message: Michael Kelley: "RE: [PATCH v4 0/5] Allow order zero pages in page reporting"
Previous message: Vijayendra Suman: "Re: [PATCH 5.15 000/410] 5.15.202-rc2 review"
Next in thread: Chao Yu: "Re: [f2fs-dev] [PATCH] f2fs-tools: fix heap-buffer-overflow of reading SSA from checkpoint area"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Daeho Jeong

Date: Tue Mar 03 2026 - 12:03:43 EST

From: Daeho Jeong <daehojeong@xxxxxxxxxx>

Reproduction:
truncate -s 512M overflow.img
./out/host/linux-x86/bin/make_f2fs -g android -b 16384 -w 16384 -O packed_ssa overflow.img
mkdir -p empty_dir
export ASAN_OPTIONS=detect_leaks=0:abort_on_error=1
./out/host/linux-x86/bin/sload_f2fs -f empty_dir -t /data overflow.img

Result:
==306082==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7df5201e2500 at pc 0x5567ea010583 bp 0x7ffc3386c210 sp 0x7ffc3386b9d8
READ of size 16384 at 0x7df5201e2500 thread T0

Even though we can reduce the summary block to 4KB, we need to maintain
backward compatibility for the checkpoint area. Therefore, the summary
block there must match the block size, so it is correct to use F2FS_BLKSIZE.

Fixes: ad1357c34023 ("f2fs-tools: revert summary entry count from 2048 to 512 in 16kb block support")
Reported-by: Maxim Pleshivenkov <mpleshivenkov@xxxxxxxxxx>
Signed-off-by: Daeho Jeong <daehojeong@xxxxxxxxxx>
---
fsck/mount.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fsck/mount.c b/fsck/mount.c
index 6f640a0..fdf3f02 100644
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -2249,7 +2249,7 @@ static int build_curseg(struct f2fs_sb_info *sbi)
SM_I(sbi)->curseg_array = array;

for (i = 0; i < NR_CURSEG_TYPE; i++) {
- array[i].sum_blk = calloc(F2FS_SUM_BLKSIZE, 1);
+ array[i].sum_blk = calloc(F2FS_BLKSIZE, 1);
if (!array[i].sum_blk) {
MSG(1, "\tError: Calloc failed for build_curseg!!\n");
goto seg_cleanup;
--
2.53.0.473.g4a7958ca14-goog