From patchwork Thu Sep 30 18:28:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luke Nowakowski-Krijger X-Patchwork-Id: 1534977 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=VrnhWN94; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HL1wg3Ggdz9sCD for ; Fri, 1 Oct 2021 04:29:06 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mW0ne-000075-9k; Thu, 30 Sep 2021 18:28:54 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mW0nc-00006s-7B for kernel-team@lists.ubuntu.com; Thu, 30 Sep 2021 18:28:52 +0000 Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 06A16402F6 for ; Thu, 30 Sep 2021 18:28:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1633026532; bh=HuN9m9GLRR6Z+KOgJloVthpHdTUu5/J3bTW2sWz7JXM=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=VrnhWN94XnMRclfC/2A25snz1SweEdl9aD4BYlRbsH5vQ2qsY0HmYUO5VV3/zRC9M ikfZ2SpcXoLHsmqBr8YfKeuBCGRwdTC1O0vW9xPRhOWnxA+9cxMjjtR5eSSlLqv4vl op5ohJ2w4/21EDZt3yB5sIUHtqo5uIpam4O9a0S6qHJvvHHS21ZwU04yIIqhwCWOFD 69ht4hqfiS4YPL6aUbvvaJUhqE35PdG9BOPBI3ZlQMR/V3P3Vt4LotQ5fMLh6hCvLg 4oRaPOeboqiv1ox9lf4Zsf5IcUkqcF99OYCHaXm3Rhw5vkSOTzqVV4sVCKKFHJcLVp XNED/qXmBm9Pw== Received: by mail-pj1-f70.google.com with SMTP id gf8-20020a17090ac7c800b0019ed5b47b51so3854995pjb.6 for ; Thu, 30 Sep 2021 11:28:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=HuN9m9GLRR6Z+KOgJloVthpHdTUu5/J3bTW2sWz7JXM=; b=IMBbMZBXkOuniw4cdkEe5wLzYncrdut/N+HrCp4NAq+mYSl5JBR7vC8Clfpu+ChT10 kPadkWow9UICnlcpszy8HS8IAjnKzXD16SkXMzZxuTF4LBWqYKJB0DhT50BGHlMstydo cOZQVxCeUao7/hi+UcqMVrDgXGhWnyQBh8lBkMa4I28LNtiqD1h3YqKSCoe8xh3upSVc 1+oIipPFPC+gO14K48WNWkXbNnjLrtp034S4lVPHeXJ6SNWpcaLaJf+CSlylnJUR8FzC QzTYByCnMk8ruL7ERpkF7cMYCk+zX57M/mIH0WTsJGzdFTl9++ubIoFQl53EqH0uWW+I Us8g== X-Gm-Message-State: AOAM5333apFh0RAqVuxGOO+EfWYJJz6AUs1LsYZ/YD7OJww6eBS8SqjO vST9nA0VYODMykXQ/uEVFTjQ4HDG/RfpYq2L9sD7V0EzYZe+JoChkPJtq7HPqlYNLAO0KUPfS5K s8uoos9YOdkKWlZWh37lq3YiFxnBK8kx2tvE1PUpkOA== X-Received: by 2002:a63:4b63:: with SMTP id k35mr6219620pgl.206.1633026529973; Thu, 30 Sep 2021 11:28:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzXCB67Ld94QVBye99gxAvm8Xz1KanP15cElrqKAp9OsJMuwjQn767h3xhfeNqeTOVvAHbWQQ== X-Received: by 2002:a63:4b63:: with SMTP id k35mr6219589pgl.206.1633026529447; Thu, 30 Sep 2021 11:28:49 -0700 (PDT) Received: from luke-ubuntu.. (cpe-66-27-118-101.san.res.rr.com. [66.27.118.101]) by smtp.gmail.com with ESMTPSA id n18sm3607347pfa.42.2021.09.30.11.28.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Sep 2021 11:28:48 -0700 (PDT) From: Luke Nowakowski-Krijger To: kernel-team@lists.ubuntu.com, luke.nowakowskikrijger@canonical.com Subject: [SRU][B][PATCH 0/2] CVE-2019-19449 Date: Thu, 30 Sep 2021 11:28:45 -0700 Message-Id: X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] Mounting a crafted f2fs file system with a segment count in a section that is less than segs_per_sec causes out-of-boundary memory access during fs initalization. [Backports] Changed f2fs_info to f2fs_msg due to the fact that the f2fs_info infastructure is not present and would require backporting many patches to implement. [Test case] Reproduced bug with syzbot reproducer (https://syzkaller.appspot.com/x/repro.c?x=102fbac5900000) with slight modification to target a valid loop device. Confirmed that after the patches were applied the fs reports that there are malformed segments/sections and mounting the file system fails, which stops the initialization from continuing and preventing the out-of-boundary memory access. [Potential regression] The patches add checks that are a superset of the previous checks, which might cause some filesystems that succeeded in mounting to now fail. Luke Nowakowski-Krijger (1): f2fs: fix to do sanity check on segment/section count Wang Xiaojun (1): f2fs: fix wrong total_sections check and fsmeta check fs/f2fs/segment.h | 1 + fs/f2fs/super.c | 15 +++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) Acked-by: Stefan Bader