Hi Sheng, On 2018/11/23 20:11, Sheng Yong wrote: > Hi, Jaegeuk and Chao, > > On 2018/11/15 15:50, Jaegeuk Kim wrote: >> If namelen is corrupted to have very long value, fill_dentries can copy >> wrong memory area. >> > Is there any scenario that could hit this corruption? Or this is triggered
I didn't see such issue in my test, I guess it may be caused by fuzzing test. Thanks, > by fuzzing injection? > > thanks, > Sheng Yong > >> Signed-off-by: Jaegeuk Kim <jaeg...@kernel.org> >> --- >> fs/f2fs/dir.c | 12 +++++++++++- >> 1 file changed, 11 insertions(+), 1 deletion(-) >> >> diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c >> index bacc667950b6..c0c845da12fa 100644 >> --- a/fs/f2fs/dir.c >> +++ b/fs/f2fs/dir.c >> @@ -808,6 +808,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct >> f2fs_dentry_ptr *d, >> de_name.name = d->filename[bit_pos]; >> de_name.len = le16_to_cpu(de->name_len); >> >> + /* check memory boundary before moving forward */ >> + bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); >> + if (unlikely(bit_pos > d->max)) { >> + f2fs_msg(sbi->sb, KERN_WARNING, >> + "%s: corrupted namelen=%d, run fsck to fix.", >> + __func__, le16_to_cpu(de->name_len)); >> + set_sbi_flag(sbi, SBI_NEED_FSCK); >> + err = -EINVAL; >> + goto out; >> + } >> + >> if (f2fs_encrypted_inode(d->inode)) { >> int save_len = fstr->len; >> >> @@ -830,7 +841,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct >> f2fs_dentry_ptr *d, >> if (readdir_ra) >> f2fs_ra_node_page(sbi, le32_to_cpu(de->ino)); >> >> - bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); >> ctx->pos = start_pos + bit_pos; >> } >> out: >> > > > > _______________________________________________ > Linux-f2fs-devel mailing list > Linux-f2fs-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel > > _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel