diff mbox series

ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len

Message ID 20200116153607.11910-1-fishland@aliyun.com
State Accepted
Delegated to: Richard Weinberger
Headers show
Series ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len | expand

Commit Message

Liu Song Jan. 16, 2020, 3:36 p.m. UTC 
From: Liu Song <liu.song11@zte.com.cn>

In “ubifs_check_node”, when the value of "node_len" is abnormal,
the code will goto label of "out_len" for execution. Then, in the
following "ubifs_dump_node", if inode type is "UBIFS_DATA_NODE",
in "print_hex_dump", an out-of-bounds access may occur due to the
wrong "ch->len".

Therefore, when the value of "node_len" is abnormal, data length
should to be adjusted to a reasonable safe range. At this time,
structured data is not credible, so dump the corrupted data directly
for analysis.

Signed-off-by: Liu Song <liu.song11@zte.com.cn>
---
 fs/ubifs/io.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

Comments

Richard Weinberger March 30, 2020, 9:31 p.m. UTC | #1 
On Thu, Jan 16, 2020 at 4:37 PM Liu Song <fishland@aliyun.com> wrote:
>
> From: Liu Song <liu.song11@zte.com.cn>
>
> In “ubifs_check_node”, when the value of "node_len" is abnormal,
> the code will goto label of "out_len" for execution. Then, in the
> following "ubifs_dump_node", if inode type is "UBIFS_DATA_NODE",
> in "print_hex_dump", an out-of-bounds access may occur due to the
> wrong "ch->len".
>
> Therefore, when the value of "node_len" is abnormal, data length
> should to be adjusted to a reasonable safe range. At this time,
> structured data is not credible, so dump the corrupted data directly
> for analysis.
>
> Signed-off-by: Liu Song <liu.song11@zte.com.cn>

Applied, thanks!
diff mbox series

Patch

diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
index 8ceb51478800..7e4bfaf2871f 100644
--- a/fs/ubifs/io.c
+++ b/fs/ubifs/io.c
@@ -225,7 +225,7 @@  int ubifs_is_mapped(const struct ubifs_info *c, int lnum)
 int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
 		     int offs, int quiet, int must_chk_crc)
 {
-	int err = -EINVAL, type, node_len;
+	int err = -EINVAL, type, node_len, dump_node = 1;
 	uint32_t crc, node_crc, magic;
 	const struct ubifs_ch *ch = buf;
 
@@ -278,10 +278,22 @@  int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
 out_len:
 	if (!quiet)
 		ubifs_err(c, "bad node length %d", node_len);
+	if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ)
+		dump_node = 0;
 out:
 	if (!quiet) {
 		ubifs_err(c, "bad node at LEB %d:%d", lnum, offs);
-		ubifs_dump_node(c, buf);
+		if (dump_node) {
+			ubifs_dump_node(c, buf);
+		} else {
+			int safe_len = min3(node_len, c->leb_size - offs,
+				(int)UBIFS_MAX_DATA_NODE_SZ);
+			pr_err("\tprevent out-of-bounds memory access\n");
+			pr_err("\ttruncated data node length      %d\n", safe_len);
+			pr_err("\tcorrupted data node:\n");
+			print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1,
+					buf, safe_len, 0);
+		}
 		dump_stack();
 	}
 	return err;