{"id":2223515,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2223515/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-mtd/patch/20260415124813.246588-3-michael.bommarito@gmail.com/","project":{"id":3,"url":"http://patchwork.ozlabs.org/api/1.2/projects/3/?format=json","name":"Linux MTD development","link_name":"linux-mtd","list_id":"linux-mtd.lists.infradead.org","list_email":"linux-mtd@lists.infradead.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260415124813.246588-3-michael.bommarito@gmail.com>","list_archive_url":null,"date":"2026-04-15T12:48:13","name":"[2/2] jffs2: bound summary entry walks against the payload","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"c846beac9d2a2159d9ed968ab19a6265078a46b9","submitter":{"id":93078,"url":"http://patchwork.ozlabs.org/api/1.2/people/93078/?format=json","name":"Michael Bommarito","email":"michael.bommarito@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-mtd/patch/20260415124813.246588-3-michael.bommarito@gmail.com/mbox/","series":[{"id":499985,"url":"http://patchwork.ozlabs.org/api/1.2/series/499985/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-mtd/list/?series=499985","date":"2026-04-15T12:48:11","name":"jffs2: bound summary reads on crafted flash","version":1,"mbox":"http://patchwork.ozlabs.org/series/499985/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223515/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223515/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=3yd9zj1M;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=IiltNHvL;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwgth2gQzz211p\n\tfor ; Wed, 15 Apr 2026 22:48:44 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCzfW-0000000195U-2rmp;\n\tWed, 15 Apr 2026 12:48:34 +0000","from mail-qk1-x72a.google.com ([2607:f8b0:4864:20::72a])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCzfU-0000000194Y-0KKF\n\tfor linux-mtd@lists.infradead.org;\n\tWed, 15 Apr 2026 12:48:33 +0000","by mail-qk1-x72a.google.com with SMTP id\n af79cd13be357-8d428da4300so736311685a.3\n for ;\n Wed, 15 Apr 2026 05:48:31 -0700 (PDT)","from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.\n [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8ae6ceb891csm10614016d6.48.2026.04.15.05.48.29\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 15 Apr 2026 05:48:29 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=XnrurdAm+dR90HgKZhRyN9PO7MgSs6SIDOUBT6RXW1o=; b=3yd9zj1M380709\n\tO7Lt0OWD4U1ESZmIBub1XKQu0xCq34MsZty9L+x+ftbIYEWAMz2R65O9PdoFc0MKTQxokOpubf+jx\n\tGmAltwNqs80V/Fs/kCUTdpOrSbjpjhSl8f4l3Aair57Zw7pVXdV85/19mcfo+ziZKMzvKl6Hth5dw\n\t3whKD+Cvm3dPdQ0s3sB2lG0wXlCzzcJh/r9UwLjOOhBhIUIiBH0t7JxUFXsfdv2RD5iaa9MGRIAhB\n\tDEVVQg2ctkPC7xZ6ifckvbKUe9KaFY5PGCUOXRHzWi1Lxy0a4UEanMtxbj9JWobD9zbQruJ/z890j\n\t0vJpvaczn6evuj/bpJJg==;","v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776257310; x=1776862110;\n darn=lists.infradead.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=kjxJXStMU5U0NlRTJ2IsoioP7S3PUNh6UBqJINw6hTA=;\n b=IiltNHvL2xZVi95OGuqxeqFmtS0zwfNeW8h5B01AvSftKrvN4aiM4j18L64ulNa2GQ\n IgeUz1HqSWnyhDe1plpEiAwU07sF98eBHuUTl50bMhpwpnTweqVWDxbeKPegVbCb6Nzq\n ZYOK6usQDX2aPXpI8zsBvQm95Kr+iel2tdrvDivDPaVRkiIy+y/2pLW1bqrxiltXq8/f\n 3Z+foROgTPNCmysE0bu3i+zbFd5XA1MzdvfarzbYCgn5ff1Nl/WQdWmHcklEJ6l2ghIZ\n NiDBJb4ARp9l/vffFxSNGBAYPu9jthrzf/pUTF4WorqeKnCp7YEMBw1SIvXCGNN87BPa\n pMnA=="],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776257310; x=1776862110;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=kjxJXStMU5U0NlRTJ2IsoioP7S3PUNh6UBqJINw6hTA=;\n b=TxGRxLVcLJths8tPdjJCTYJXP8CZpQi+sleuRFEbFFx2gaVtAk+ouP4hZmsKOaFJ97\n Q8EJ91hNKvcrKMc41JEjHLNs4HKq7f8DV+CeDQ8F+CwP9zIc7MmAMPKAmscKAwYyeTuP\n m8srzuU5HTvUYL0AUbL2UqoXBs44mu6WTbGHePtd3ioYcMh8RWWUQCYi1WUvtq0AiHze\n yJrRX1csT5TLqylXITSdxnUnmuoK/WKdXKc3xIGzE0CIerQJSuiWsvV+Tnyfxq7pPKjC\n pMJbiy2VT90Ot0pcC8PfTxSLHoZQy0eLDT2heyvg0zy7e9++aAfFr9YvvwKoecuy5Yr+\n zw+g==","X-Gm-Message-State":"AOJu0YwXO9a2pgwlWgEVPukW+XStIzqBRmqlLo/gafxD1jzdfGD97jd2\n\t9xYiV/lFXtgjujkvco3mLCsD7EP8uPffRBcSOC5xVsKswGryu2J8DcxJXTTWgQ==","X-Gm-Gg":"AeBDieuH80lnyjP082OkJ22uVL2qHcEVNGIZDvdl0MEBSsTfL71Mz4hVGOCa6h9inWf\n\tgklBN0rHNMBu3G9kx9peylvzVJzBXTghnM0ENxBsJi3S5w4UlY3PFL/VxD7tZWGvQli339epuqU\n\tyLxXuyKO6nfzA+oDOM4wUlMdYM7VeHDs9DEP6mg8dt11inUr5H+IwU4GDh3qBuYtfa8Rk3aazWz\n\tmgyjGF0srzVm9AnjN9b9Lg1pcDd+k8PUtf8S3ibmmg4njryGAnRKTFXwy9uwnKtexBftQHXP+11\n\tl5jPQyF1Yls1ycye4njHrnpExa50GGhj91xnp1lJQWJHa4brQ1vvmAsiA5BURErDIo7TGQzn0gr\n\tIl8aPxtIiK7IXjOESdSYgmuPoyInkVyBG5OljTZqnGAWDzygW49vpprPJ3sJLqAqd3U235KlTeS\n\tdmUuY5kB9jqUgsbNJP9o1GyHw+b4pMjL+P9/57TaEcJB1s61hiZLrahbMGBDmUmBHFm8Eq1yxmE\n\tHe1YoT387BwHuJp9IKv90CrEkLTlb/S9gCku4YwpgXmf5Sk8y2e6g==","X-Received":"by 2002:a05:620a:450b:b0:8cd:b620:f3ed with SMTP id\n af79cd13be357-8ddcf2bf6e4mr3124006385a.38.1776257310347;\n Wed, 15 Apr 2026 05:48:30 -0700 (PDT)","From":"Michael Bommarito ","To":"linux-mtd@lists.infradead.org,\n\tDavid Woodhouse ,\n\tRichard Weinberger ","Cc":"Zhihao Cheng ,\n\tArtem Sadovnikov ,\n\tKees Cook ,\n\tlinux-kernel@vger.kernel.org","Subject":"[PATCH 2/2] jffs2: bound summary entry walks against the payload","Date":"Wed, 15 Apr 2026 08:48:13 -0400","Message-ID":"<20260415124813.246588-3-michael.bommarito@gmail.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260415124813.246588-1-michael.bommarito@gmail.com>","References":"<20260415124813.246588-1-michael.bommarito@gmail.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260415_054832_143797_B75F4A93 ","X-CRM114-Status":"GOOD ( 22.55 )","X-Spam-Score":"-2.1 (--)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: jffs2_sum_process_sum_data() iterates summary->sum_num\n times,\n reading the next entry's nodetype from the current sp and dispatching into\n type-specific handlers that advance sp by a fixed or nsize-depe [...]\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no\n trust\n [2607:f8b0:4864:20:0:0:0:72a listed in]\n [list.dnswl.org]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n provider\n [michael.bommarito(at)gmail.com]","X-BeenThere":"linux-mtd@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"Linux MTD discussion mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"linux-mtd\" ","Errors-To":"linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"jffs2_sum_process_sum_data() iterates summary->sum_num times, reading\nthe next entry's nodetype from the current sp and dispatching into\ntype-specific handlers that advance sp by a fixed or nsize-dependent\namount. There is no upper bound on sum_num from the writer side, and\non read the scanner trusts the on-flash value unchecked.\n\nA crafted flash image can therefore set sum_num > (actual entries\nthat fit in the payload). Once sp runs off the end of the summary\nbuffer the nodetype read at summary.c:407 lands on adjacent slab\nmemory. If those bytes happen to decode as one of the known types\n(JFFS2_NODETYPE_INODE / _DIRENT / _XATTR / _XREF) the handler calls\nsum_link_node_ref() with offset / totlen pulled from whatever slab\nneighbor is next to the scan buffer.\n\nReproduced on v7.0-rc7 under UML + CONFIG_KASAN=y with a crafted\nimage carrying one real INODE entry and sum_num=2:\n\n BUG: KASAN: slab-out-of-bounds in jffs2_sum_scan_sumnode+0x6bd\n Read of size 2 at addr 00000000621fb000 by task mount/31\n Located 0 bytes to the right of allocated 4096-byte region\n\nThe matching sum_num=1 image (same bytes, honest sum_num) mounts\nwithout a KASAN report, so the OOB is sum_num-specific.\n\nPass sumsize into jffs2_sum_process_sum_data() and bound sp against\nsummary + sumsize - sizeof(struct jffs2_sum_marker) before every\nnodetype read and before every type-specific field access. If the\nadvance would leave the payload, warn and fall back to a full scan\nvia -ENOTRECOVERABLE.\n\nScope note on impact: demonstrated effect is a mount-time OOB read\nand a default-case warning path that reclaims the jeb. The\ntype-specific handlers run with attacker-influenced offset/totlen\npulled from the OOB bytes and do call sum_link_node_ref(), but\npersistent write/state-corruption requires adjacent slab content to\ndecode as a known nodetype and the mount to complete cleanly;\nneither is reliably reproducible without heap-spray primitives.\nThis patch closes the confirmed OOB-read sites.\n\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Michael Bommarito \n---\n fs/jffs2/summary.c | 35 ++++++++++++++++++++++++++++++++---\n 1 file changed, 32 insertions(+), 3 deletions(-)","diff":"diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c\nindex 150a9c83cb05..09677b931010 100644\n--- a/fs/jffs2/summary.c\n+++ b/fs/jffs2/summary.c\n@@ -384,21 +384,33 @@ static struct jffs2_raw_node_ref *sum_link_node_ref(struct jffs2_sb_info *c,\n /* Process the stored summary information - helper function for jffs2_sum_scan_sumnode() */\n \n static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,\n-\t\t\t\tstruct jffs2_raw_summary *summary, uint32_t *pseudo_random)\n+\t\t\t\tstruct jffs2_raw_summary *summary, uint32_t sumsize,\n+\t\t\t\tuint32_t *pseudo_random)\n {\n \tstruct jffs2_inode_cache *ic;\n \tstruct jffs2_full_dirent *fd;\n-\tvoid *sp;\n+\tvoid *sp, *sum_end;\n \tint i, ino;\n \tint err;\n \n \tsp = summary->sum;\n+\t/* Entries must fit before the trailing jffs2_sum_marker. */\n+\tsum_end = (char *)summary + sumsize - sizeof(struct jffs2_sum_marker);\n \n \tfor (i=0; isum_num); i++) {\n \t\tdbg_summary(\"processing summary index %d\\n\", i);\n \n \t\tcond_resched();\n \n+\t\t/* Make sure the nodetype dispatched on is in-bounds; each\n+\t\t * case re-checks the specific entry size before advancing\n+\t\t * sp past the node's fields. */\n+\t\tif ((char *)sp + sizeof(struct jffs2_sum_unknown_flash) > (char *)sum_end) {\n+\t\t\tJFFS2_WARNING(\"Summary entry %d nodetype past payload (sum_num=%u)\\n\",\n+\t\t\t\t i, je32_to_cpu(summary->sum_num));\n+\t\t\treturn -ENOTRECOVERABLE;\n+\t\t}\n+\n \t\t/* Make sure there's a spare ref for dirty space */\n \t\terr = jffs2_prealloc_raw_node_refs(c, jeb, 2);\n \t\tif (err)\n@@ -407,6 +419,9 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras\n \t\tswitch (je16_to_cpu(((struct jffs2_sum_unknown_flash *)sp)->nodetype)) {\n \t\t\tcase JFFS2_NODETYPE_INODE: {\n \t\t\t\tstruct jffs2_sum_inode_flash *spi;\n+\n+\t\t\t\tif ((char *)sp + JFFS2_SUMMARY_INODE_SIZE > (char *)sum_end)\n+\t\t\t\t\tgoto ent_past_end;\n \t\t\t\tspi = sp;\n \n \t\t\t\tino = je32_to_cpu(spi->inode);\n@@ -434,7 +449,12 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras\n \t\t\tcase JFFS2_NODETYPE_DIRENT: {\n \t\t\t\tstruct jffs2_sum_dirent_flash *spd;\n \t\t\t\tint checkedlen;\n+\n+\t\t\t\tif ((char *)sp + sizeof(*spd) > (char *)sum_end)\n+\t\t\t\t\tgoto ent_past_end;\n \t\t\t\tspd = sp;\n+\t\t\t\tif ((char *)sp + JFFS2_SUMMARY_DIRENT_SIZE(spd->nsize) > (char *)sum_end)\n+\t\t\t\t\tgoto ent_past_end;\n \n \t\t\t\tdbg_summary(\"Dirent at 0x%08x-0x%08x\\n\",\n \t\t\t\t\t jeb->offset + je32_to_cpu(spd->offset),\n@@ -492,6 +512,8 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras\n \t\t\t\tstruct jffs2_xattr_datum *xd;\n \t\t\t\tstruct jffs2_sum_xattr_flash *spx;\n \n+\t\t\t\tif ((char *)sp + JFFS2_SUMMARY_XATTR_SIZE > (char *)sum_end)\n+\t\t\t\t\tgoto ent_past_end;\n \t\t\t\tspx = (struct jffs2_sum_xattr_flash *)sp;\n \t\t\t\tdbg_summary(\"xattr at %#08x-%#08x (xid=%u, version=%u)\\n\", \n \t\t\t\t\t jeb->offset + je32_to_cpu(spx->offset),\n@@ -523,6 +545,8 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras\n \t\t\t\tstruct jffs2_xattr_ref *ref;\n \t\t\t\tstruct jffs2_sum_xref_flash *spr;\n \n+\t\t\t\tif ((char *)sp + JFFS2_SUMMARY_XREF_SIZE > (char *)sum_end)\n+\t\t\t\t\tgoto ent_past_end;\n \t\t\t\tspr = (struct jffs2_sum_xref_flash *)sp;\n \t\t\t\tdbg_summary(\"xref at %#08x-%#08x\\n\",\n \t\t\t\t\t jeb->offset + je32_to_cpu(spr->offset),\n@@ -566,6 +590,11 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras\n \t\t}\n \t}\n \treturn 0;\n+\n+ent_past_end:\n+\tJFFS2_WARNING(\"Summary entry %d past payload end (sum_num=%u)\\n\",\n+\t\t i, je32_to_cpu(summary->sum_num));\n+\treturn -ENOTRECOVERABLE;\n }\n \n /* Process the summary node - called from jffs2_scan_eraseblock() */\n@@ -646,7 +675,7 @@ int jffs2_sum_scan_sumnode(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb\n \t\t}\n \t}\n \n-\tret = jffs2_sum_process_sum_data(c, jeb, summary, pseudo_random);\n+\tret = jffs2_sum_process_sum_data(c, jeb, summary, sumsize, pseudo_random);\n \t/* -ENOTRECOVERABLE isn't a fatal error -- it means we should do a full\n \t scan of this eraseblock. So return zero */\n \tif (ret == -ENOTRECOVERABLE)\n","prefixes":["2/2"]}