mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-11-01 00:48:50 +00:00
90ada91f46
KASAN reports a BUG when download file in jffs2 filesystem.It is because when dstlen == 1, cpage_out will write array out of bounds. Actually, data will not be compressed in jffs2_zlib_compress() if data's length less than 4. [ 393.799778] BUG: KASAN: slab-out-of-bounds in jffs2_rtime_compress+0x214/0x2f0 at addr ffff800062e3b281 [ 393.809166] Write of size 1 by task tftp/2918 [ 393.813526] CPU: 3 PID: 2918 Comm: tftp Tainted: G B 4.9.115-rt93-EMBSYS-CGEL-6.1.R6-dirty #1 [ 393.823173] Hardware name: LS1043A RDB Board (DT) [ 393.827870] Call trace: [ 393.830322] [<ffff20000808c700>] dump_backtrace+0x0/0x2f0 [ 393.835721] [<ffff20000808ca04>] show_stack+0x14/0x20 [ 393.840774] [<ffff2000086ef700>] dump_stack+0x90/0xb0 [ 393.845829] [<ffff20000827b19c>] kasan_object_err+0x24/0x80 [ 393.851402] [<ffff20000827b404>] kasan_report_error+0x1b4/0x4d8 [ 393.857323] [<ffff20000827bae8>] kasan_report+0x38/0x40 [ 393.862548] [<ffff200008279d44>] __asan_store1+0x4c/0x58 [ 393.867859] [<ffff2000084ce2ec>] jffs2_rtime_compress+0x214/0x2f0 [ 393.873955] [<ffff2000084bb3b0>] jffs2_selected_compress+0x178/0x2a0 [ 393.880308] [<ffff2000084bb530>] jffs2_compress+0x58/0x478 [ 393.885796] [<ffff2000084c5b34>] jffs2_write_inode_range+0x13c/0x450 [ 393.892150] [<ffff2000084be0b8>] jffs2_write_end+0x2a8/0x4a0 [ 393.897811] [<ffff2000081f3008>] generic_perform_write+0x1c0/0x280 [ 393.903990] [<ffff2000081f5074>] __generic_file_write_iter+0x1c4/0x228 [ 393.910517] [<ffff2000081f5210>] generic_file_write_iter+0x138/0x288 [ 393.916870] [<ffff20000829ec1c>] __vfs_write+0x1b4/0x238 [ 393.922181] [<ffff20000829ff00>] vfs_write+0xd0/0x238 [ 393.927232] [<ffff2000082a1ba8>] SyS_write+0xa0/0x110 [ 393.932283] [<ffff20000808429c>] __sys_trace_return+0x0/0x4 [ 393.937851] Object at ffff800062e3b280, in cache kmalloc-64 size: 64 [ 393.944197] Allocated: [ 393.946552] PID = 2918 [ 393.948913] save_stack_trace_tsk+0x0/0x220 [ 393.953096] save_stack_trace+0x18/0x20 [ 393.956932] kasan_kmalloc+0xd8/0x188 [ 393.960594] __kmalloc+0x144/0x238 [ 393.963994] jffs2_selected_compress+0x48/0x2a0 [ 393.968524] jffs2_compress+0x58/0x478 [ 393.972273] jffs2_write_inode_range+0x13c/0x450 [ 393.976889] jffs2_write_end+0x2a8/0x4a0 [ 393.980810] generic_perform_write+0x1c0/0x280 [ 393.985251] __generic_file_write_iter+0x1c4/0x228 [ 393.990040] generic_file_write_iter+0x138/0x288 [ 393.994655] __vfs_write+0x1b4/0x238 [ 393.998228] vfs_write+0xd0/0x238 [ 394.001543] SyS_write+0xa0/0x110 [ 394.004856] __sys_trace_return+0x0/0x4 [ 394.008684] Freed: [ 394.010691] PID = 2918 [ 394.013051] save_stack_trace_tsk+0x0/0x220 [ 394.017233] save_stack_trace+0x18/0x20 [ 394.021069] kasan_slab_free+0x88/0x188 [ 394.024902] kfree+0x6c/0x1d8 [ 394.027868] jffs2_sum_write_sumnode+0x2c4/0x880 [ 394.032486] jffs2_do_reserve_space+0x198/0x598 [ 394.037016] jffs2_reserve_space+0x3f8/0x4d8 [ 394.041286] jffs2_write_inode_range+0xf0/0x450 [ 394.045816] jffs2_write_end+0x2a8/0x4a0 [ 394.049737] generic_perform_write+0x1c0/0x280 [ 394.054179] __generic_file_write_iter+0x1c4/0x228 [ 394.058968] generic_file_write_iter+0x138/0x288 [ 394.063583] __vfs_write+0x1b4/0x238 [ 394.067157] vfs_write+0xd0/0x238 [ 394.070470] SyS_write+0xa0/0x110 [ 394.073783] __sys_trace_return+0x0/0x4 [ 394.077612] Memory state around the buggy address: [ 394.082404] ffff800062e3b180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 394.089623] ffff800062e3b200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 394.096842] >ffff800062e3b280: 01 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 394.104056] ^ [ 394.107283] ffff800062e3b300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 394.114502] ffff800062e3b380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 394.121718] ================================================================== Signed-off-by: Yang Yang <yang.yang29@zte.com.cn> Signed-off-by: Richard Weinberger <richard@nod.at>
133 lines
2.9 KiB
C
133 lines
2.9 KiB
C
/*
|
|
* JFFS2 -- Journalling Flash File System, Version 2.
|
|
*
|
|
* Copyright © 2001-2007 Red Hat, Inc.
|
|
* Copyright © 2004-2010 David Woodhouse <dwmw2@infradead.org>
|
|
*
|
|
* Created by Arjan van de Ven <arjanv@redhat.com>
|
|
*
|
|
* For licensing information, see the file 'LICENCE' in this directory.
|
|
*
|
|
*
|
|
*
|
|
* Very simple lz77-ish encoder.
|
|
*
|
|
* Theory of operation: Both encoder and decoder have a list of "last
|
|
* occurrences" for every possible source-value; after sending the
|
|
* first source-byte, the second byte indicated the "run" length of
|
|
* matches
|
|
*
|
|
* The algorithm is intended to only send "whole bytes", no bit-messing.
|
|
*
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/types.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/string.h>
|
|
#include <linux/jffs2.h>
|
|
#include "compr.h"
|
|
|
|
/* _compress returns the compressed size, -1 if bigger */
|
|
static int jffs2_rtime_compress(unsigned char *data_in,
|
|
unsigned char *cpage_out,
|
|
uint32_t *sourcelen, uint32_t *dstlen)
|
|
{
|
|
unsigned short positions[256];
|
|
int outpos = 0;
|
|
int pos=0;
|
|
|
|
if (*dstlen <= 3)
|
|
return -1;
|
|
|
|
memset(positions,0,sizeof(positions));
|
|
|
|
while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
|
|
int backpos, runlen=0;
|
|
unsigned char value;
|
|
|
|
value = data_in[pos];
|
|
|
|
cpage_out[outpos++] = data_in[pos++];
|
|
|
|
backpos = positions[value];
|
|
positions[value]=pos;
|
|
|
|
while ((backpos < pos) && (pos < (*sourcelen)) &&
|
|
(data_in[pos]==data_in[backpos++]) && (runlen<255)) {
|
|
pos++;
|
|
runlen++;
|
|
}
|
|
cpage_out[outpos++] = runlen;
|
|
}
|
|
|
|
if (outpos >= pos) {
|
|
/* We failed */
|
|
return -1;
|
|
}
|
|
|
|
/* Tell the caller how much we managed to compress, and how much space it took */
|
|
*sourcelen = pos;
|
|
*dstlen = outpos;
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int jffs2_rtime_decompress(unsigned char *data_in,
|
|
unsigned char *cpage_out,
|
|
uint32_t srclen, uint32_t destlen)
|
|
{
|
|
unsigned short positions[256];
|
|
int outpos = 0;
|
|
int pos=0;
|
|
|
|
memset(positions,0,sizeof(positions));
|
|
|
|
while (outpos<destlen) {
|
|
unsigned char value;
|
|
int backoffs;
|
|
int repeat;
|
|
|
|
value = data_in[pos++];
|
|
cpage_out[outpos++] = value; /* first the verbatim copied byte */
|
|
repeat = data_in[pos++];
|
|
backoffs = positions[value];
|
|
|
|
positions[value]=outpos;
|
|
if (repeat) {
|
|
if (backoffs + repeat >= outpos) {
|
|
while(repeat) {
|
|
cpage_out[outpos++] = cpage_out[backoffs++];
|
|
repeat--;
|
|
}
|
|
} else {
|
|
memcpy(&cpage_out[outpos],&cpage_out[backoffs],repeat);
|
|
outpos+=repeat;
|
|
}
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static struct jffs2_compressor jffs2_rtime_comp = {
|
|
.priority = JFFS2_RTIME_PRIORITY,
|
|
.name = "rtime",
|
|
.compr = JFFS2_COMPR_RTIME,
|
|
.compress = &jffs2_rtime_compress,
|
|
.decompress = &jffs2_rtime_decompress,
|
|
#ifdef JFFS2_RTIME_DISABLED
|
|
.disabled = 1,
|
|
#else
|
|
.disabled = 0,
|
|
#endif
|
|
};
|
|
|
|
int jffs2_rtime_init(void)
|
|
{
|
|
return jffs2_register_compressor(&jffs2_rtime_comp);
|
|
}
|
|
|
|
void jffs2_rtime_exit(void)
|
|
{
|
|
jffs2_unregister_compressor(&jffs2_rtime_comp);
|
|
}
|