From patchwork Tue Nov 28 09:09:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 842043 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3ymHtS5WFwz9t62; Tue, 28 Nov 2017 20:09:52 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eJbtk-0004Xf-Kw; Tue, 28 Nov 2017 09:09:48 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eJbtj-0004XM-75 for kernel-team@lists.ubuntu.com; Tue, 28 Nov 2017 09:09:47 +0000 Received: from mail-wr0-f199.google.com ([209.85.128.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eJbti-00087A-Vy for kernel-team@lists.ubuntu.com; Tue, 28 Nov 2017 09:09:47 +0000 Received: by mail-wr0-f199.google.com with SMTP id f9so20443175wra.2 for ; Tue, 28 Nov 2017 01:09:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=H2/aRi+ZDAbzcmFHxyNPY7vKMJYFOFERdYGYksT4yXc=; b=k1MahaAqbLzn92Mbl643H+SzZ30/9qs3ODBMlIxYE5OUZxJorRY1sklp0O2aiap+ib 0QbgxChqHjnkZXX2gL2APmoHWZ5LVHjAPxzdGT0SnAg8iLp1RjKky8cLbvYtVHDNp6wF FflNp9ynugMCoJA0A7y4SkXgrPzAb5nEEkTHI+VUfojsb29GYGBFE0vBqKn9Pz+AJhVI D+mB6XtJjkM4PwAwD7XcGhCwyU0z7pnSBcwOpUdmOH11zwmZZfXTQq9EZEkjhy3bZBXQ xNkZHEdBMAPjDm7uMxqEmtjfRiyO2WSkDIXp2/DfuLEqa222K3dIXDP7DT0nB+67PIPv LP7A== X-Gm-Message-State: AJaThX7JKlSrEl4hpDHIvFYl2sk94Vw0AlD6q2kd1djsHnR55+KrsG+w DcMW6wCHxw0zLQ9+heyFnd0XkxfCTFMxEf7BV2zCo2YHXdz5s+tG42KGW75z3hbjFMkbqF0wQtd w4xpqI6Kjn2twJFVem8JIQv8wxhsfd1EsaU36MKJbZQ== X-Received: by 10.80.172.29 with SMTP id v29mr1737786edc.143.1511860186375; Tue, 28 Nov 2017 01:09:46 -0800 (PST) X-Google-Smtp-Source: AGs4zMbvS5Oqm6bmX6QXUxJZWnZAaeutbjZpXxWyryZrMOHjQIaoULE5JczPsXEZhzOWSJ+gfH8gIg== X-Received: by 10.80.172.29 with SMTP id v29mr1737758edc.143.1511860186064; Tue, 28 Nov 2017 01:09:46 -0800 (PST) Received: from localhost ([2a02:8109:a540:7e8:d93c:6a88:7e3b:ea29]) by smtp.gmail.com with ESMTPSA id v20sm18393988edm.10.2017.11.28.01.09.44 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 28 Nov 2017 01:09:45 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [Trusty SRU][PATCH 1/1] f2fs: do more integrity verification for superblock Date: Tue, 28 Nov 2017 10:09:41 +0100 Message-Id: <20171128090941.26497-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171128090941.26497-1-kleber.souza@canonical.com> References: <20171128090941.26497-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Chao Yu CVE-2017-0750 Do more sanity check for superblock during ->mount. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim (backported from commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e upstream) Signed-off-by: Kleber Sacilotto de Souza Acked-by: Colin Ian King Acked-by: Stefan Bader --- fs/f2fs/super.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index ec70a2176c57..8c017100b7f7 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -677,6 +677,79 @@ static loff_t max_file_size(unsigned bits) return result; } +static inline bool sanity_check_area_boundary(struct super_block *sb, + struct f2fs_super_block *raw_super) +{ + u32 segment0_blkaddr = le32_to_cpu(raw_super->segment0_blkaddr); + u32 cp_blkaddr = le32_to_cpu(raw_super->cp_blkaddr); + u32 sit_blkaddr = le32_to_cpu(raw_super->sit_blkaddr); + u32 nat_blkaddr = le32_to_cpu(raw_super->nat_blkaddr); + u32 ssa_blkaddr = le32_to_cpu(raw_super->ssa_blkaddr); + u32 main_blkaddr = le32_to_cpu(raw_super->main_blkaddr); + u32 segment_count_ckpt = le32_to_cpu(raw_super->segment_count_ckpt); + u32 segment_count_sit = le32_to_cpu(raw_super->segment_count_sit); + u32 segment_count_nat = le32_to_cpu(raw_super->segment_count_nat); + u32 segment_count_ssa = le32_to_cpu(raw_super->segment_count_ssa); + u32 segment_count_main = le32_to_cpu(raw_super->segment_count_main); + u32 segment_count = le32_to_cpu(raw_super->segment_count); + u32 log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); + + if (segment0_blkaddr != cp_blkaddr) { + f2fs_msg(sb, KERN_INFO, + "Mismatch start address, segment0(%u) cp_blkaddr(%u)", + segment0_blkaddr, cp_blkaddr); + return true; + } + + if (cp_blkaddr + (segment_count_ckpt << log_blocks_per_seg) != + sit_blkaddr) { + f2fs_msg(sb, KERN_INFO, + "Wrong CP boundary, start(%u) end(%u) blocks(%u)", + cp_blkaddr, sit_blkaddr, + segment_count_ckpt << log_blocks_per_seg); + return true; + } + + if (sit_blkaddr + (segment_count_sit << log_blocks_per_seg) != + nat_blkaddr) { + f2fs_msg(sb, KERN_INFO, + "Wrong SIT boundary, start(%u) end(%u) blocks(%u)", + sit_blkaddr, nat_blkaddr, + segment_count_sit << log_blocks_per_seg); + return true; + } + + if (nat_blkaddr + (segment_count_nat << log_blocks_per_seg) != + ssa_blkaddr) { + f2fs_msg(sb, KERN_INFO, + "Wrong NAT boundary, start(%u) end(%u) blocks(%u)", + nat_blkaddr, ssa_blkaddr, + segment_count_nat << log_blocks_per_seg); + return true; + } + + if (ssa_blkaddr + (segment_count_ssa << log_blocks_per_seg) != + main_blkaddr) { + f2fs_msg(sb, KERN_INFO, + "Wrong SSA boundary, start(%u) end(%u) blocks(%u)", + ssa_blkaddr, main_blkaddr, + segment_count_ssa << log_blocks_per_seg); + return true; + } + + if (main_blkaddr + (segment_count_main << log_blocks_per_seg) != + segment0_blkaddr + (segment_count << log_blocks_per_seg)) { + f2fs_msg(sb, KERN_INFO, + "Wrong MAIN_AREA boundary, start(%u) end(%u) blocks(%u)", + main_blkaddr, + segment0_blkaddr + (segment_count << log_blocks_per_seg), + segment_count_main << log_blocks_per_seg); + return true; + } + + return false; +} + static int sanity_check_raw_super(struct super_block *sb, struct f2fs_super_block *raw_super) { @@ -706,6 +779,14 @@ static int sanity_check_raw_super(struct super_block *sb, return 1; } + /* check log blocks per segment */ + if (le32_to_cpu(raw_super->log_blocks_per_seg) != 9) { + f2fs_msg(sb, KERN_INFO, + "Invalid log blocks per segment (%u)\n", + le32_to_cpu(raw_super->log_blocks_per_seg)); + return 1; + } + if (le32_to_cpu(raw_super->log_sectorsize) != F2FS_LOG_SECTOR_SIZE) { f2fs_msg(sb, KERN_INFO, "Invalid log sectorsize"); @@ -724,6 +805,22 @@ static int sanity_check_raw_super(struct super_block *sb, return 1; } + /* check reserved ino info */ + if (le32_to_cpu(raw_super->node_ino) != 1 || + le32_to_cpu(raw_super->meta_ino) != 2 || + le32_to_cpu(raw_super->root_ino) != 3) { + f2fs_msg(sb, KERN_INFO, + "Invalid Fs Meta Ino: node(%u) meta(%u) root(%u)", + le32_to_cpu(raw_super->node_ino), + le32_to_cpu(raw_super->meta_ino), + le32_to_cpu(raw_super->root_ino)); + return 1; + } + + /* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */ + if (sanity_check_area_boundary(sb, raw_super)) + return 1; + return 0; }