From: Jin Qian
partial backport from 21fc61c73c3903c4c312d0802da01ec2b323d174 upstream
to v4.4 to prevent virt_to_page on highmem.
ext4_encrypted_follow_link uses kmap() for cpage
caddr = kmap(cpage);
_ext4_fname_disk_to_usr calls virt_to_page on the kmapped address
blk_off is read from image. Attacker can construct an image with big
blk_off that trigger overflow on se->cur_valid_map.
Signed-off-by: Jin Qian
---
fsck/fsck.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fsck/fsck.c b/fsck/fsck.c
index b625153..e97ee0a 100644
--- a/fsck/fsck.c
++
make sure segment count in super block doesn't exceed F2FS_MAX_SEGMENT.
Signed-off-by: Jin Qian
---
fsck/mount.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fsck/mount.c b/fsck/mount.c
index 761baa0..0111960 100644
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -406,6 +406,9 @
From: Jin Qian
F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
Signed-off-by: Jin Qian
---
fs/f2fs/super.c | 7 +++
include/linux/f2fs_fs.h | 6 ++
2 files changed, 13 insertions
crafted malicious f2fs partition can fill an out of bound blk_off,
which cause overflow when accessing summary block entries.
Signed-off-by: Jin Qian
---
fsck/mount.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fsck/mount.c b/fsck/mount.c
index 761baa0..0a63b71 100644
--- a/fsck
cp_payload is not sanity checked from input image. A invalid size
can cause buffer overflow when reading checkpoint blks into memory.
Signed-off-by: Jin Qian
---
fsck/mount.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fsck/mount.c b/fsck/mount.c
index 761baa0
segno and blk_off were read from input image without sanity check. This
could lead to buffer overflow when accessing internal arrays like SIT
sentries and seg_entry cur_valid_map.
Signed-off-by: Jin Qian
---
fsck/mount.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fsck/mount.c b/fsck
segno and blk_off were read from input image without sanity check. This
could lead to buffer overflow when accessing internal arrays like SIT
sentries and seg_entry cur_valid_map.
Signed-off-by: Jin Qian
---
fsck/mount.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fsck/mount.c b/fsck
Make sure segno and blkoff read from raw image are valid.
Signed-off-by: Jin Qian
---
fs/f2fs/super.c | 18 ++
1 file changed, 18 insertions(+)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 83355ec4a92c..c41b48e4cc33 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
Make sure segno and blkoff read from raw image are valid.
Change-Id: Ia37f5e03aba85f483ddad7a38c64c8e2dbb02243
Cc: sta...@vger.kernel.org
Signed-off-by: Jin Qian
---
fs/f2fs/super.c | 18 ++
1 file changed, 18 insertions(+)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index
Make sure segno and blkoff read from raw image are valid.
Cc: sta...@vger.kernel.org
Signed-off-by: Jin Qian
---
fs/f2fs/super.c | 18 ++
1 file changed, 18 insertions(+)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 83355ec4a92c..c41b48e4cc33 100644
--- a/fs/f2fs
oops, my script added change-Id back. Sent out v3 for correction.
jin
On Sun, May 14, 2017 at 3:51 AM, Greg KH wrote:
> On Fri, May 12, 2017 at 10:50:40AM -0700, Jin Qian wrote:
>> Make sure segno and blkoff read from raw image are valid.
>&g
Make sure number of entires doesn't exceed max journal size.
Cc: sta...@vger.kernel.org
Signed-off-by: Jin Qian
---
fs/f2fs/segment.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index de31030b5041..b07385630150 100644
--- a/fs
13 matches
Mail list logo
