In fsck_chk_orphan_node(), entry_count is read directly from the on-disk orphan block footer. If an attacker or corrupted filesystem sets this to an excessive value (e.g., 0xFFFFFFFF), it can cause a massive loop leading to out-of-bounds memory reads and out-of-bounds writes into the newly allocated orphan repair block.
Fix this by ensuring entry_count does not exceed F2FS_ORPHANS_PER_BLOCK. If an invalid entry_count is encountered, safely reset it to 0 and write the repaired orphan block to disk when running with auto-fix enabled. Signed-off-by: Chao Yu <[email protected]> --- fsck/fsck.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fsck/fsck.c b/fsck/fsck.c index e679357..66cc1c5 100644 --- a/fsck/fsck.c +++ b/fsck/fsck.c @@ -2275,6 +2275,17 @@ int fsck_chk_orphan_node(struct f2fs_sb_info *sbi) ASSERT(ret >= 0); entry_count = le32_to_cpu(F2FS_ORPHAN_BLOCK_FOOTER(orphan_blk)->entry_count); + if (entry_count > F2FS_ORPHANS_PER_BLOCK) { + ASSERT_MSG("wrong orphan entry_count: %u", entry_count); + entry_count = 0; + if (f2fs_dev_is_writable() && c.fix_on) { + FIX_MSG("reset orphan entry_count to 0"); + F2FS_ORPHAN_BLOCK_FOOTER(new_blk)->entry_count = 0; + ret = dev_write_block(new_blk, start_blk + i, + WRITE_LIFE_NONE); + ASSERT(ret >= 0); + } + } for (j = 0; j < entry_count; j++) { nid_t ino = le32_to_cpu(orphan_blk->ino[j]); -- 2.49.0 _______________________________________________ Linux-f2fs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
