korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-11 08:14:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
f435c66d23
linux/fs/ext4
History
Baokun Li 277d19ec28 ext4: fix use-after-free in ext4_ext_shift_extents 
commit f6b1a1cf1c upstream.

If the starting position of our insert range happens to be in the hole
between the two ext4_extent_idx, because the lblk of the ext4_extent in
the previous ext4_extent_idx is always less than the start, which leads
to the "extent" variable access across the boundary, the following UAF is
triggered:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
Read of size 4 at addr ffff88819807a008 by task fallocate/8010
CPU: 3 PID: 8010 Comm: fallocate Tainted: G            E     5.10.0+ #492
Call Trace:
 dump_stack+0x7d/0xa3
 print_address_description.constprop.0+0x1e/0x220
 kasan_report.cold+0x67/0x7f
 ext4_ext_shift_extents+0x257/0x790
 ext4_insert_range+0x5b6/0x700
 ext4_fallocate+0x39e/0x3d0
 vfs_fallocate+0x26f/0x470
 ksys_fallocate+0x3a/0x70
 __x64_sys_fallocate+0x4f/0x60
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================

For right shifts, we can divide them into the following situations:

1. When the first ee_block of ext4_extent_idx is greater than or equal to
   start, make right shifts directly from the first ee_block.
    1) If it is greater than start, we need to continue searching in the
       previous ext4_extent_idx.
    2) If it is equal to start, we can exit the loop (iterator=NULL).

2. When the first ee_block of ext4_extent_idx is less than start, then
   traverse from the last extent to find the first extent whose ee_block
   is less than start.
    1) If extent is still the last extent after traversal, it means that
       the last ee_block of ext4_extent_idx is less than start, that is,
       start is located in the hole between idx and (idx+1), so we can
       exit the loop directly (break) without right shifts.
    2) Otherwise, make right shifts at the corresponding position of the
       found extent, and then exit the loop (iterator=NULL).

Fixes: 331573febb ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-12-02 17:41:08 +01:00
..
.kunitconfig ext4: add .kunitconfig fragment to enable ext4-specific tests 2021-02-11 23:16:30 -05:00
acl.c vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
acl.h vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
balloc.c ext4: flush background discard kwork when retry allocation 2021-08-30 23:35:53 -04:00
bitmap.c
block_validity.c ext4: standardize error message in ext4_protect_reserved_inode() 2020-12-17 13:30:55 -05:00
dir.c ext4: fix potential infinite loop in ext4_dx_readdir() 2021-10-01 00:05:09 -04:00
ext4_extents.h ext4: fix sparse warnings 2021-08-30 23:36:50 -04:00
ext4_jbd2.c ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits' 2022-01-27 11:05:17 +01:00
ext4_jbd2.h ext4: Support for checksumming from journal triggers 2021-08-30 23:36:50 -04:00
ext4.h ext4: only allow test_dummy_encryption when supported 2022-06-09 10:23:31 +02:00
extents_status.c ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit 2021-06-22 21:34:17 -04:00
extents_status.h ext4: fix extent_status trace points 2020-01-25 02:03:03 -05:00
extents.c ext4: fix use-after-free in ext4_ext_shift_extents 2022-12-02 17:41:08 +01:00
fast_commit.c ext4: update 'state->fc_regions_size' after successful memory allocation 2022-10-26 12:34:30 +02:00
fast_commit.h ext4: simplify updating of fast commit stats 2022-03-08 19:12:32 +01:00
file.c ext4: avoid crash when inline data creation follows DIO write 2022-10-26 12:34:28 +02:00
fsmap.c treewide: Change list_sort to use const pointers 2021-04-08 16:04:22 -07:00
fsmap.h ext4: fsmap: fix the block/inode bitmap comment 2021-06-24 09:48:29 -04:00
fsync.c block: use an on-stack bio in blkdev_issue_flush 2021-01-27 09:51:48 -07:00
hash.c ext4: handle casefolding with encryption 2021-04-05 22:04:20 -04:00
ialloc.c ext4: make directory inode spreading reflect flexbg size 2022-09-28 11:11:57 +02:00
indirect.c ext4: Support for checksumming from journal triggers 2021-08-30 23:36:50 -04:00
inline.c ext4: correct max_inline_xattr_value_size computing 2022-08-17 14:24:27 +02:00
inode-test.c fs: ext4: Modify inode-test.c to use KUnit parameterized testing feature 2020-12-02 16:07:25 -07:00
inode.c ext4: place buffer head allocation before handle start 2022-10-26 12:34:29 +02:00
ioctl.c ext4: fast commit may not fallback for ineligible commit 2022-03-08 19:12:32 +01:00
Kconfig ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it 2021-02-11 23:12:59 -05:00
Makefile ext4: Move orphan inode handling into a separate file 2021-08-30 23:36:51 -04:00
mballoc.c ext4: use locality group preallocation for small closed files 2022-09-28 11:11:58 +02:00
mballoc.h ext4: fix various seppling typos 2021-04-09 23:14:59 -04:00
migrate.c ext4: fix warning in 'ext4_da_release_space' 2022-11-10 18:15:40 +01:00
mmp.c ext4: fix potential uninitialized access to retval in kmmpd 2021-07-23 07:31:29 -04:00
move_extent.c ext4: use common helpers in all places reading metadata buffers 2020-10-18 10:37:14 -04:00
namei.c ext4: fix BUG_ON() when directory entry has invalid rec_len 2022-11-10 18:15:40 +01:00
orphan.c ext4: Improve scalability of ext4 orphan file handling 2021-08-30 23:36:51 -04:00
page-io.c ext4: fix symlink file size not match to file content 2022-04-27 14:39:01 +02:00
readpage.c block: Add bio_max_segs 2021-02-26 15:49:51 -07:00
resize.c ext4: continue to expand file system when the target size doesn't reach 2022-10-26 12:35:56 +02:00
super.c ext4: don't run ext4lazyinit for read-only filesystems 2022-10-26 12:35:01 +02:00
symlink.c ext4: report correct st_size for encrypted symlinks 2021-07-25 20:01:06 -07:00
sysfs.c ext4: notify sysfs on errors_count value change 2021-06-29 21:06:02 -04:00
truncate.h ext4: Convert to use mapping->invalidate_lock 2021-07-13 14:29:00 +02:00
verity.c ext4,f2fs: fix readahead of verity data 2022-11-10 18:15:42 +01:00
xattr_hurd.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_security.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_trusted.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_user.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr.c ext4: fix race when reusing xattr blocks 2022-08-17 14:24:28 +02:00
xattr.h ext4: remove EA inode entry from mbcache on inode eviction 2022-08-17 14:24:27 +02:00