]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 501f202) | patch
ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()
authorZhihao Cheng <chengzhihao1@huawei.com>
Mon, 27 Dec 2021 03:22:40 +0000 (11:22 +0800)
committerStefan Bader <stefan.bader@canonical.com>
Fri, 20 May 2022 12:40:10 +0000 (14:40 +0200)
commit6cc8d2032e2241820e11ccb0659938efc9c24da3
treec53aea60a1f394ee4bfec1f75ce589c5c7ef4163tree
parent501f2025314606ba1aed55a84b5980b97ef6937acommit | diff
ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()

BugLink: https://bugs.launchpad.net/bugs/1969110
commit 4f2262a334641e05f645364d5ade1f565c85f20b upstream.

Function ubifs_wbuf_write_nolock() may access buf out of bounds in
following process:

ubifs_wbuf_write_nolock():
  aligned_len = ALIGN(len, 8);   // Assume len = 4089, aligned_len = 4096
  if (aligned_len <= wbuf->avail) ... // Not satisfy
  if (wbuf->used) {
    ubifs_leb_write()  // Fill some data in avail wbuf
    len -= wbuf->avail;   // len is still not 8-bytes aligned
    aligned_len -= wbuf->avail;
  }
  n = aligned_len >> c->max_write_shift;
  if (n) {
    n <<= c->max_write_shift;
    err = ubifs_leb_write(c, wbuf->lnum, buf + written,
                          wbuf->offs, n);
    // n > len, read out of bounds less than 8(n-len) bytes
  }

, which can be catched by KASAN:
  =========================================================
  BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0
  Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128
  Workqueue: writeback wb_workfn (flush-ubifs_0_0)
  Call Trace:
    kasan_report.cold+0x81/0x165
    nand_write_page_swecc+0xa9/0x160
    ubifs_leb_write+0xf2/0x1b0 [ubifs]
    ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]
    write_head+0xdc/0x1c0 [ubifs]
    ubifs_jnl_write_inode+0x627/0x960 [ubifs]
    wb_workfn+0x8af/0xb80

Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8
bytes aligned, the 'len' represents the true length of buf (which is
allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so
ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully
to write leb safely.

Fetch a reproducer in [Link].

Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=214785
Reported-by: Chengsong Ke <kechengsong@huawei.com>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a7054aaf1909cf40489c0ec1b728fdcf79c751a6)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
fs/ubifs/io.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror