linux-stable/fs/ubifs
Zhihao Cheng 4f2262a334 ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()
Function ubifs_wbuf_write_nolock() may access buf out of bounds in
following process:

ubifs_wbuf_write_nolock():
  aligned_len = ALIGN(len, 8);   // Assume len = 4089, aligned_len = 4096
  if (aligned_len <= wbuf->avail) ... // Not satisfy
  if (wbuf->used) {
    ubifs_leb_write()  // Fill some data in avail wbuf
    len -= wbuf->avail;   // len is still not 8-bytes aligned
    aligned_len -= wbuf->avail;
  }
  n = aligned_len >> c->max_write_shift;
  if (n) {
    n <<= c->max_write_shift;
    err = ubifs_leb_write(c, wbuf->lnum, buf + written,
                          wbuf->offs, n);
    // n > len, read out of bounds less than 8(n-len) bytes
  }

, which can be catched by KASAN:
  =========================================================
  BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0
  Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128
  Workqueue: writeback wb_workfn (flush-ubifs_0_0)
  Call Trace:
    kasan_report.cold+0x81/0x165
    nand_write_page_swecc+0xa9/0x160
    ubifs_leb_write+0xf2/0x1b0 [ubifs]
    ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]
    write_head+0xdc/0x1c0 [ubifs]
    ubifs_jnl_write_inode+0x627/0x960 [ubifs]
    wb_workfn+0x8af/0xb80

Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8
bytes aligned, the 'len' represents the true length of buf (which is
allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so
ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully
to write leb safely.

Fetch a reproducer in [Link].

Fixes: 1e51764a3c ("UBIFS: add new flash file system")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=214785
Reported-by: Chengsong Ke <kechengsong@huawei.com>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2022-01-10 22:58:27 +01:00
..
auth.c ubifs: Fix memleak in ubifs_init_authentication 2021-02-12 21:53:22 +01:00
budget.c ubifs: Limit the number of pages in shrink_liability 2019-08-22 17:25:33 +02:00
commit.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
compress.c ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
crypto.c fscrypt: remove fscrypt_operations::max_namelen 2021-09-20 19:32:33 -07:00
debug.c ubifs: fix snprintf() checking 2021-06-18 22:04:47 +02:00
debug.h ubifs: ubifs_dump_sleb: Remove unused function 2020-12-13 22:12:38 +01:00
dir.c ubifs: Rectify space amount budget for mkdir/tmpfile operations 2022-01-10 22:12:14 +01:00
file.c ubifs: report correct st_size for encrypted symlinks 2021-07-25 20:01:07 -07:00
find.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
gc.c ubifs: read-only if LEB may always be taken in ubifs_garbage_collect 2021-12-23 22:30:38 +01:00
io.c ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() 2022-01-10 22:58:27 +01:00
ioctl.c ubifs: setflags: Make dirtied_ino_d 8 bytes aligned 2022-01-10 22:18:42 +01:00
journal.c ubifs: Rename whiteout atomically 2022-01-10 21:58:37 +01:00
Kconfig fscrypt: Allow modular crypto algorithms 2019-12-31 10:33:51 -06:00
key.h ubifs: allow both hash and disk name to be provided in no-key names 2020-01-22 14:49:56 -08:00
log.c ubifs: remove unnecessary check in ubifs_log_start_commit 2019-07-08 19:43:51 +02:00
lprops.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
lpt.c ubifs: Fix the printing type of c->big_lpt 2020-12-13 21:57:10 +01:00
lpt_commit.c mm: remove the pgprot argument to __vmalloc 2020-06-02 10:59:11 -07:00
Makefile ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
master.c ubifs: Fix spelling mistakes 2021-06-22 09:21:39 +02:00
misc.c
misc.h ubifs: misc.h: delete a duplicated word 2020-08-02 22:59:03 +02:00
orphan.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
recovery.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
replay.c ubifs: Fix spelling mistakes 2021-12-23 20:23:40 +01:00
sb.c ubifs: Default to zstd compression 2021-04-15 22:00:26 +02:00
scan.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
shrinker.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
super.c ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
sysfs.c ubifs: fix snprintf() length check 2021-12-23 22:08:19 +01:00
tnc.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
tnc_commit.c ubifs: Fix spelling mistakes 2021-06-22 09:21:39 +02:00
tnc_misc.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
ubifs-media.h ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
ubifs.h ubifs: Fix wrong number of inodes locked by ui_mutex in ubifs_inode comment 2022-01-09 21:35:38 +01:00
xattr.c ubifs: Remove ui_mutex in ubifs_xattr_get and change_xattr 2021-06-18 22:04:47 +02:00