mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/fs/erofs
History
Gao Xiang 4d53a625f2 erofs: fix buffer copy overflow of ztailpacking feature 
[ Upstream commit dcbe6803ff ]

I got some KASAN report as below:

[   46.959738] ==================================================================
[   46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370
[   46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188
...
[   46.960430] Call Trace:
[   46.960430]  <TASK>
[   46.960430]  dump_stack_lvl+0x41/0x5e
[   46.960430]  print_report.cold+0xb2/0x6b7
[   46.960430]  ? z_erofs_shifted_transform+0x2bd/0x370
[   46.960430]  kasan_report+0x8a/0x140
[   46.960430]  ? z_erofs_shifted_transform+0x2bd/0x370
[   46.960430]  kasan_check_range+0x14d/0x1d0
[   46.960430]  memcpy+0x20/0x60
[   46.960430]  z_erofs_shifted_transform+0x2bd/0x370
[   46.960430]  z_erofs_decompress_pcluster+0xaae/0x1080

The root cause is that the tail pcluster won't be a complete filesystem
block anymore. So if ztailpacking is used, the second part of an
uncompressed tail pcluster may not be ``rq->pageofs_out``.

Fixes: ab749badf9 ("erofs: support unaligned data decompression")
Fixes: cecf864d3d ("erofs: support inline data decompression")
Reviewed-by: Yue Hu <huyue2@coolpad.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/r/20220512115833.24175-1-hsiangkao@linux.alibaba.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2022-06-09 10:25:54 +02:00
..
Kconfig erofs: lzma compression support 2021-10-19 23:44:30 +08:00
Makefile erofs: add sysfs interface 2021-12-08 09:40:37 +08:00
compress.h erofs: introduce z_erofs_fixup_insize 2021-12-29 06:42:07 +08:00
data.c erofs: fix fsdax partition offset handling 2022-01-24 22:36:27 +08:00
decompressor.c erofs: fix buffer copy overflow of ztailpacking feature 2022-06-09 10:25:54 +02:00
decompressor_lzma.c erofs: introduce z_erofs_fixup_insize 2021-12-29 06:42:07 +08:00
dir.c erofs: clean up file headers & footers 2021-06-08 00:41:24 +08:00
erofs_fs.h erofs: add on-disk compressed tail-packing inline support 2021-12-31 00:51:10 +08:00
inode.c erofs: use meta buffers for inode operations 2022-01-04 23:44:46 +08:00
internal.h erofs: fix ztailpacking on > 4GiB filesystems 2022-03-02 21:58:45 +08:00
namei.c erofs: add fiemap support with iomap 2021-08-19 00:13:43 +08:00
pcpubuf.c erofs: get rid of ->lru usage 2021-10-25 08:22:59 +08:00
super.c dax + libnvdimm for v5.17 2022-01-12 15:46:11 -08:00
sysfs.c fs: erofs: add sanity check for kobject in erofs_unregister_sysfs 2022-04-08 13:57:40 +02:00
tagptr.h erofs: clean up file headers & footers 2021-06-08 00:41:24 +08:00
utils.c erofs: fix deadlock when shrink erofs slab 2021-11-23 14:58:16 +08:00
xattr.c erofs: use meta buffers for xattr operations 2022-01-04 23:47:08 +08:00
xattr.h erofs: use meta buffers for xattr operations 2022-01-04 23:47:08 +08:00
zdata.c erofs: fix use-after-free of on-stack io[] 2022-05-09 09:16:28 +02:00
zdata.h erofs: fix use-after-free of on-stack io[] 2022-05-09 09:16:28 +02:00
zmap.c erofs: fix small compressed files inlining 2022-02-04 12:37:12 +08:00
zpvec.h erofs: fix unsafe pagevec reuse of hooked pclusters 2021-11-08 10:02:10 +08:00