diff options
Diffstat (limited to 'patches')
-rw-r--r-- | patches/cve/4.14.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch | 357 |
2 files changed, 358 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index a0c770e..f0ed95a 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
@@ -8,3 +8,4 @@ patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | |||
8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | 8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch |
9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | 9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch |
10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | 10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch |
11 | patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch | ||
diff --git a/patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch b/patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch new file mode 100644 index 0000000..cc08429 --- /dev/null +++ b/patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch | |||
@@ -0,0 +1,357 @@ | |||
1 | From 741c90da7d31dc4bab29aa2a086b3d1ad806adab Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Fri, 25 Jan 2019 13:12:32 +0000 | ||
4 | Subject: [PATCH] f2fs: fix to do sanity check with cp_pack_start_sum | ||
5 | |||
6 | commit e494c2f995d6181d6e29c4927d68e0f295ecf75b upstream. | ||
7 | |||
8 | After fuzzing, cp_pack_start_sum could be corrupted, so current log's | ||
9 | summary info should be wrong due to loading incorrect summary block. | ||
10 | Then, if segment's type in current log is exceeded NR_CURSEG_TYPE, it | ||
11 | can lead accessing invalid dirty_i->dirty_segmap bitmap finally. | ||
12 | |||
13 | Add sanity check for cp_pack_start_sum to fix this issue. | ||
14 | |||
15 | https://bugzilla.kernel.org/show_bug.cgi?id=200419 | ||
16 | |||
17 | - Reproduce | ||
18 | |||
19 | - Kernel message (f2fs-dev w/ KASAN) | ||
20 | [ 3117.578432] F2FS-fs (loop0): Invalid log blocks per segment (8) | ||
21 | |||
22 | [ 3117.578445] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock | ||
23 | [ 3117.581364] F2FS-fs (loop0): invalid crc_offset: 30716 | ||
24 | [ 3117.583564] WARNING: CPU: 1 PID: 1225 at fs/f2fs/checkpoint.c:90 __get_meta_page+0x448/0x4b0 | ||
25 | [ 3117.583570] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy | ||
26 | [ 3117.584014] CPU: 1 PID: 1225 Comm: mount Not tainted 4.17.0+ #1 | ||
27 | [ 3117.584017] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 | ||
28 | [ 3117.584022] RIP: 0010:__get_meta_page+0x448/0x4b0 | ||
29 | [ 3117.584023] Code: 00 49 8d bc 24 84 00 00 00 e8 74 54 da ff 41 83 8c 24 84 00 00 00 08 4c 89 f6 4c 89 ef e8 c0 d9 95 00 48 89 ef e8 18 e3 00 00 <0f> 0b f0 80 4d 48 04 e9 0f fe ff ff 0f 0b 48 89 c7 48 89 04 24 e8 | ||
30 | [ 3117.584072] RSP: 0018:ffff88018eb678c0 EFLAGS: 00010286 | ||
31 | [ 3117.584082] RAX: ffff88018f0a6a78 RBX: ffffea0007a46600 RCX: ffffffff9314d1b2 | ||
32 | [ 3117.584085] RDX: ffffffff00000001 RSI: 0000000000000000 RDI: ffff88018f0a6a98 | ||
33 | [ 3117.584087] RBP: ffff88018ebe9980 R08: 0000000000000002 R09: 0000000000000001 | ||
34 | [ 3117.584090] R10: 0000000000000001 R11: ffffed00326e4450 R12: ffff880193722200 | ||
35 | [ 3117.584092] R13: ffff88018ebe9afc R14: 0000000000000206 R15: ffff88018eb67900 | ||
36 | [ 3117.584096] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 | ||
37 | [ 3117.584098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | ||
38 | [ 3117.584101] CR2: 00000000016f21b8 CR3: 0000000191c22000 CR4: 00000000000006e0 | ||
39 | [ 3117.584112] Call Trace: | ||
40 | [ 3117.584121] ? f2fs_set_meta_page_dirty+0x150/0x150 | ||
41 | [ 3117.584127] ? f2fs_build_segment_manager+0xbf9/0x3190 | ||
42 | [ 3117.584133] ? f2fs_npages_for_summary_flush+0x75/0x120 | ||
43 | [ 3117.584145] f2fs_build_segment_manager+0xda8/0x3190 | ||
44 | [ 3117.584151] ? f2fs_get_valid_checkpoint+0x298/0xa00 | ||
45 | [ 3117.584156] ? f2fs_flush_sit_entries+0x10e0/0x10e0 | ||
46 | [ 3117.584184] ? map_id_range_down+0x17c/0x1b0 | ||
47 | [ 3117.584188] ? __put_user_ns+0x30/0x30 | ||
48 | [ 3117.584206] ? find_next_bit+0x53/0x90 | ||
49 | [ 3117.584237] ? cpumask_next+0x16/0x20 | ||
50 | [ 3117.584249] f2fs_fill_super+0x1948/0x2b40 | ||
51 | [ 3117.584258] ? f2fs_commit_super+0x1a0/0x1a0 | ||
52 | [ 3117.584279] ? sget_userns+0x65e/0x690 | ||
53 | [ 3117.584296] ? set_blocksize+0x88/0x130 | ||
54 | [ 3117.584302] ? f2fs_commit_super+0x1a0/0x1a0 | ||
55 | [ 3117.584305] mount_bdev+0x1c0/0x200 | ||
56 | [ 3117.584310] mount_fs+0x5c/0x190 | ||
57 | [ 3117.584320] vfs_kern_mount+0x64/0x190 | ||
58 | [ 3117.584330] do_mount+0x2e4/0x1450 | ||
59 | [ 3117.584343] ? lockref_put_return+0x130/0x130 | ||
60 | [ 3117.584347] ? copy_mount_string+0x20/0x20 | ||
61 | [ 3117.584357] ? kasan_unpoison_shadow+0x31/0x40 | ||
62 | [ 3117.584362] ? kasan_kmalloc+0xa6/0xd0 | ||
63 | [ 3117.584373] ? memcg_kmem_put_cache+0x16/0x90 | ||
64 | [ 3117.584377] ? __kmalloc_track_caller+0x196/0x210 | ||
65 | [ 3117.584383] ? _copy_from_user+0x61/0x90 | ||
66 | [ 3117.584396] ? memdup_user+0x3e/0x60 | ||
67 | [ 3117.584401] ksys_mount+0x7e/0xd0 | ||
68 | [ 3117.584405] __x64_sys_mount+0x62/0x70 | ||
69 | [ 3117.584427] do_syscall_64+0x73/0x160 | ||
70 | [ 3117.584440] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | ||
71 | [ 3117.584455] RIP: 0033:0x7f5693f14b9a | ||
72 | [ 3117.584456] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 | ||
73 | [ 3117.584505] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 | ||
74 | [ 3117.584510] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a | ||
75 | [ 3117.584512] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040 | ||
76 | [ 3117.584514] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 | ||
77 | [ 3117.584516] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040 | ||
78 | [ 3117.584519] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003 | ||
79 | [ 3117.584523] ---[ end trace a8e0d899985faf31 ]--- | ||
80 | [ 3117.685663] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix. | ||
81 | [ 3117.685673] F2FS-fs (loop0): recover_data: ino = 2 (i_size: recover) recovered = 1, err = 0 | ||
82 | [ 3117.685707] ================================================================== | ||
83 | [ 3117.685955] BUG: KASAN: slab-out-of-bounds in __remove_dirty_segment+0xdd/0x1e0 | ||
84 | [ 3117.686175] Read of size 8 at addr ffff88018f0a63d0 by task mount/1225 | ||
85 | |||
86 | [ 3117.686477] CPU: 0 PID: 1225 Comm: mount Tainted: G W 4.17.0+ #1 | ||
87 | [ 3117.686481] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 | ||
88 | [ 3117.686483] Call Trace: | ||
89 | [ 3117.686494] dump_stack+0x71/0xab | ||
90 | [ 3117.686512] print_address_description+0x6b/0x290 | ||
91 | [ 3117.686517] kasan_report+0x28e/0x390 | ||
92 | [ 3117.686522] ? __remove_dirty_segment+0xdd/0x1e0 | ||
93 | [ 3117.686527] __remove_dirty_segment+0xdd/0x1e0 | ||
94 | [ 3117.686532] locate_dirty_segment+0x189/0x190 | ||
95 | [ 3117.686538] f2fs_allocate_new_segments+0xa9/0xe0 | ||
96 | [ 3117.686543] recover_data+0x703/0x2c20 | ||
97 | [ 3117.686547] ? f2fs_recover_fsync_data+0x48f/0xd50 | ||
98 | [ 3117.686553] ? ksys_mount+0x7e/0xd0 | ||
99 | [ 3117.686564] ? policy_nodemask+0x1a/0x90 | ||
100 | [ 3117.686567] ? policy_node+0x56/0x70 | ||
101 | [ 3117.686571] ? add_fsync_inode+0xf0/0xf0 | ||
102 | [ 3117.686592] ? blk_finish_plug+0x44/0x60 | ||
103 | [ 3117.686597] ? f2fs_ra_meta_pages+0x38b/0x5e0 | ||
104 | [ 3117.686602] ? find_inode_fast+0xac/0xc0 | ||
105 | [ 3117.686606] ? f2fs_is_valid_blkaddr+0x320/0x320 | ||
106 | [ 3117.686618] ? __radix_tree_lookup+0x150/0x150 | ||
107 | [ 3117.686633] ? dqget+0x670/0x670 | ||
108 | [ 3117.686648] ? pagecache_get_page+0x29/0x410 | ||
109 | [ 3117.686656] ? kmem_cache_alloc+0x176/0x1e0 | ||
110 | [ 3117.686660] ? f2fs_is_valid_blkaddr+0x11d/0x320 | ||
111 | [ 3117.686664] f2fs_recover_fsync_data+0xc23/0xd50 | ||
112 | [ 3117.686670] ? f2fs_space_for_roll_forward+0x60/0x60 | ||
113 | [ 3117.686674] ? rb_insert_color+0x323/0x3d0 | ||
114 | [ 3117.686678] ? f2fs_recover_orphan_inodes+0xa5/0x700 | ||
115 | [ 3117.686683] ? proc_register+0x153/0x1d0 | ||
116 | [ 3117.686686] ? f2fs_remove_orphan_inode+0x10/0x10 | ||
117 | [ 3117.686695] ? f2fs_attr_store+0x50/0x50 | ||
118 | [ 3117.686700] ? proc_create_single_data+0x52/0x60 | ||
119 | [ 3117.686707] f2fs_fill_super+0x1d06/0x2b40 | ||
120 | [ 3117.686728] ? f2fs_commit_super+0x1a0/0x1a0 | ||
121 | [ 3117.686735] ? sget_userns+0x65e/0x690 | ||
122 | [ 3117.686740] ? set_blocksize+0x88/0x130 | ||
123 | [ 3117.686745] ? f2fs_commit_super+0x1a0/0x1a0 | ||
124 | [ 3117.686748] mount_bdev+0x1c0/0x200 | ||
125 | [ 3117.686753] mount_fs+0x5c/0x190 | ||
126 | [ 3117.686758] vfs_kern_mount+0x64/0x190 | ||
127 | [ 3117.686762] do_mount+0x2e4/0x1450 | ||
128 | [ 3117.686769] ? lockref_put_return+0x130/0x130 | ||
129 | [ 3117.686773] ? copy_mount_string+0x20/0x20 | ||
130 | [ 3117.686777] ? kasan_unpoison_shadow+0x31/0x40 | ||
131 | [ 3117.686780] ? kasan_kmalloc+0xa6/0xd0 | ||
132 | [ 3117.686786] ? memcg_kmem_put_cache+0x16/0x90 | ||
133 | [ 3117.686790] ? __kmalloc_track_caller+0x196/0x210 | ||
134 | [ 3117.686795] ? _copy_from_user+0x61/0x90 | ||
135 | [ 3117.686801] ? memdup_user+0x3e/0x60 | ||
136 | [ 3117.686804] ksys_mount+0x7e/0xd0 | ||
137 | [ 3117.686809] __x64_sys_mount+0x62/0x70 | ||
138 | [ 3117.686816] do_syscall_64+0x73/0x160 | ||
139 | [ 3117.686824] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | ||
140 | [ 3117.686829] RIP: 0033:0x7f5693f14b9a | ||
141 | [ 3117.686830] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 | ||
142 | [ 3117.686887] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 | ||
143 | [ 3117.686892] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a | ||
144 | [ 3117.686894] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040 | ||
145 | [ 3117.686896] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 | ||
146 | [ 3117.686899] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040 | ||
147 | [ 3117.686901] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003 | ||
148 | |||
149 | [ 3117.687005] Allocated by task 1225: | ||
150 | [ 3117.687152] kasan_kmalloc+0xa6/0xd0 | ||
151 | [ 3117.687157] kmem_cache_alloc_trace+0xfd/0x200 | ||
152 | [ 3117.687161] f2fs_build_segment_manager+0x2d09/0x3190 | ||
153 | [ 3117.687165] f2fs_fill_super+0x1948/0x2b40 | ||
154 | [ 3117.687168] mount_bdev+0x1c0/0x200 | ||
155 | [ 3117.687171] mount_fs+0x5c/0x190 | ||
156 | [ 3117.687174] vfs_kern_mount+0x64/0x190 | ||
157 | [ 3117.687177] do_mount+0x2e4/0x1450 | ||
158 | [ 3117.687180] ksys_mount+0x7e/0xd0 | ||
159 | [ 3117.687182] __x64_sys_mount+0x62/0x70 | ||
160 | [ 3117.687186] do_syscall_64+0x73/0x160 | ||
161 | [ 3117.687190] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | ||
162 | |||
163 | [ 3117.687285] Freed by task 19: | ||
164 | [ 3117.687412] __kasan_slab_free+0x137/0x190 | ||
165 | [ 3117.687416] kfree+0x8b/0x1b0 | ||
166 | [ 3117.687460] ttm_bo_man_put_node+0x61/0x80 [ttm] | ||
167 | [ 3117.687476] ttm_bo_cleanup_refs+0x15f/0x250 [ttm] | ||
168 | [ 3117.687492] ttm_bo_delayed_delete+0x2f0/0x300 [ttm] | ||
169 | [ 3117.687507] ttm_bo_delayed_workqueue+0x17/0x50 [ttm] | ||
170 | [ 3117.687528] process_one_work+0x2f9/0x740 | ||
171 | [ 3117.687531] worker_thread+0x78/0x6b0 | ||
172 | [ 3117.687541] kthread+0x177/0x1c0 | ||
173 | [ 3117.687545] ret_from_fork+0x35/0x40 | ||
174 | |||
175 | [ 3117.687638] The buggy address belongs to the object at ffff88018f0a6300 | ||
176 | which belongs to the cache kmalloc-192 of size 192 | ||
177 | [ 3117.688014] The buggy address is located 16 bytes to the right of | ||
178 | 192-byte region [ffff88018f0a6300, ffff88018f0a63c0) | ||
179 | [ 3117.688382] The buggy address belongs to the page: | ||
180 | [ 3117.688554] page:ffffea00063c2980 count:1 mapcount:0 mapping:ffff8801f3403180 index:0x0 | ||
181 | [ 3117.688788] flags: 0x17fff8000000100(slab) | ||
182 | [ 3117.688944] raw: 017fff8000000100 ffffea00063c2840 0000000e0000000e ffff8801f3403180 | ||
183 | [ 3117.689166] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 | ||
184 | [ 3117.689386] page dumped because: kasan: bad access detected | ||
185 | |||
186 | [ 3117.689653] Memory state around the buggy address: | ||
187 | [ 3117.689816] ffff88018f0a6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc | ||
188 | [ 3117.690027] ffff88018f0a6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
189 | [ 3117.690239] >ffff88018f0a6380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc | ||
190 | [ 3117.690448] ^ | ||
191 | [ 3117.690644] ffff88018f0a6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
192 | [ 3117.690868] ffff88018f0a6480: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc | ||
193 | [ 3117.691077] ================================================================== | ||
194 | [ 3117.691290] Disabling lock debugging due to kernel taint | ||
195 | [ 3117.693893] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 | ||
196 | [ 3117.694120] PGD 80000001f01bc067 P4D 80000001f01bc067 PUD 1d9638067 PMD 0 | ||
197 | [ 3117.694338] Oops: 0002 [#1] SMP KASAN PTI | ||
198 | [ 3117.694490] CPU: 1 PID: 1225 Comm: mount Tainted: G B W 4.17.0+ #1 | ||
199 | [ 3117.694703] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 | ||
200 | [ 3117.695073] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0 | ||
201 | [ 3117.695246] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 <f0> 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7 | ||
202 | [ 3117.695793] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292 | ||
203 | [ 3117.695969] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000 | ||
204 | [ 3117.696182] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297 | ||
205 | [ 3117.696391] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb | ||
206 | [ 3117.696604] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019 | ||
207 | [ 3117.696813] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0 | ||
208 | [ 3117.697032] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 | ||
209 | [ 3117.697280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | ||
210 | [ 3117.702357] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0 | ||
211 | [ 3117.707235] Call Trace: | ||
212 | [ 3117.712077] locate_dirty_segment+0x189/0x190 | ||
213 | [ 3117.716891] f2fs_allocate_new_segments+0xa9/0xe0 | ||
214 | [ 3117.721617] recover_data+0x703/0x2c20 | ||
215 | [ 3117.726316] ? f2fs_recover_fsync_data+0x48f/0xd50 | ||
216 | [ 3117.730957] ? ksys_mount+0x7e/0xd0 | ||
217 | [ 3117.735573] ? policy_nodemask+0x1a/0x90 | ||
218 | [ 3117.740198] ? policy_node+0x56/0x70 | ||
219 | [ 3117.744829] ? add_fsync_inode+0xf0/0xf0 | ||
220 | [ 3117.749487] ? blk_finish_plug+0x44/0x60 | ||
221 | [ 3117.754152] ? f2fs_ra_meta_pages+0x38b/0x5e0 | ||
222 | [ 3117.758831] ? find_inode_fast+0xac/0xc0 | ||
223 | [ 3117.763448] ? f2fs_is_valid_blkaddr+0x320/0x320 | ||
224 | [ 3117.768046] ? __radix_tree_lookup+0x150/0x150 | ||
225 | [ 3117.772603] ? dqget+0x670/0x670 | ||
226 | [ 3117.777159] ? pagecache_get_page+0x29/0x410 | ||
227 | [ 3117.781648] ? kmem_cache_alloc+0x176/0x1e0 | ||
228 | [ 3117.786067] ? f2fs_is_valid_blkaddr+0x11d/0x320 | ||
229 | [ 3117.790476] f2fs_recover_fsync_data+0xc23/0xd50 | ||
230 | [ 3117.794790] ? f2fs_space_for_roll_forward+0x60/0x60 | ||
231 | [ 3117.799086] ? rb_insert_color+0x323/0x3d0 | ||
232 | [ 3117.803304] ? f2fs_recover_orphan_inodes+0xa5/0x700 | ||
233 | [ 3117.807563] ? proc_register+0x153/0x1d0 | ||
234 | [ 3117.811766] ? f2fs_remove_orphan_inode+0x10/0x10 | ||
235 | [ 3117.815947] ? f2fs_attr_store+0x50/0x50 | ||
236 | [ 3117.820087] ? proc_create_single_data+0x52/0x60 | ||
237 | [ 3117.824262] f2fs_fill_super+0x1d06/0x2b40 | ||
238 | [ 3117.828367] ? f2fs_commit_super+0x1a0/0x1a0 | ||
239 | [ 3117.832432] ? sget_userns+0x65e/0x690 | ||
240 | [ 3117.836500] ? set_blocksize+0x88/0x130 | ||
241 | [ 3117.840501] ? f2fs_commit_super+0x1a0/0x1a0 | ||
242 | [ 3117.844420] mount_bdev+0x1c0/0x200 | ||
243 | [ 3117.848275] mount_fs+0x5c/0x190 | ||
244 | [ 3117.852053] vfs_kern_mount+0x64/0x190 | ||
245 | [ 3117.855810] do_mount+0x2e4/0x1450 | ||
246 | [ 3117.859441] ? lockref_put_return+0x130/0x130 | ||
247 | [ 3117.862996] ? copy_mount_string+0x20/0x20 | ||
248 | [ 3117.866417] ? kasan_unpoison_shadow+0x31/0x40 | ||
249 | [ 3117.869719] ? kasan_kmalloc+0xa6/0xd0 | ||
250 | [ 3117.872948] ? memcg_kmem_put_cache+0x16/0x90 | ||
251 | [ 3117.876121] ? __kmalloc_track_caller+0x196/0x210 | ||
252 | [ 3117.879333] ? _copy_from_user+0x61/0x90 | ||
253 | [ 3117.882467] ? memdup_user+0x3e/0x60 | ||
254 | [ 3117.885604] ksys_mount+0x7e/0xd0 | ||
255 | [ 3117.888700] __x64_sys_mount+0x62/0x70 | ||
256 | [ 3117.891742] do_syscall_64+0x73/0x160 | ||
257 | [ 3117.894692] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | ||
258 | [ 3117.897669] RIP: 0033:0x7f5693f14b9a | ||
259 | [ 3117.900563] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 | ||
260 | [ 3117.906922] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 | ||
261 | [ 3117.910159] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a | ||
262 | [ 3117.913469] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040 | ||
263 | [ 3117.916764] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 | ||
264 | [ 3117.920071] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040 | ||
265 | [ 3117.923393] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003 | ||
266 | [ 3117.926680] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy | ||
267 | [ 3117.949979] CR2: 0000000000000000 | ||
268 | [ 3117.954283] ---[ end trace a8e0d899985faf32 ]--- | ||
269 | [ 3117.958575] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0 | ||
270 | [ 3117.962810] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 <f0> 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7 | ||
271 | [ 3117.971789] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292 | ||
272 | [ 3117.976333] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000 | ||
273 | [ 3117.980926] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297 | ||
274 | [ 3117.985497] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb | ||
275 | [ 3117.990098] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019 | ||
276 | [ 3117.994761] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0 | ||
277 | [ 3117.999392] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 | ||
278 | [ 3118.004096] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | ||
279 | [ 3118.008816] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0 | ||
280 | |||
281 | - Location | ||
282 | https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/segment.c#L775 | ||
283 | if (test_and_clear_bit(segno, dirty_i->dirty_segmap[t])) | ||
284 | dirty_i->nr_dirty[t]--; | ||
285 | Here dirty_i->dirty_segmap[t] can be NULL which leads to crash in test_and_clear_bit() | ||
286 | |||
287 | CVE: CVE-2018-14614 | ||
288 | Upstream-Status: Backport | ||
289 | |||
290 | Reported-by Wen Xu <wen.xu@gatech.edu> | ||
291 | Signed-off-by: Chao Yu <yuchao0@huawei.com> | ||
292 | Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> | ||
293 | [bwh: Backported to 4.14: The function is called sanity_check_ckpt()] | ||
294 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
295 | Signed-off-by: Sasha Levin <sashal@kernel.org> | ||
296 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
297 | --- | ||
298 | fs/f2fs/checkpoint.c | 8 ++++---- | ||
299 | fs/f2fs/super.c | 12 ++++++++++++ | ||
300 | 2 files changed, 16 insertions(+), 4 deletions(-) | ||
301 | |||
302 | diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c | ||
303 | index c282e21f5b5e..0a78a6898e57 100644 | ||
304 | --- a/fs/f2fs/checkpoint.c | ||
305 | +++ b/fs/f2fs/checkpoint.c | ||
306 | @@ -799,15 +799,15 @@ int get_valid_checkpoint(struct f2fs_sb_info *sbi) | ||
307 | cp_block = (struct f2fs_checkpoint *)page_address(cur_page); | ||
308 | memcpy(sbi->ckpt, cp_block, blk_size); | ||
309 | |||
310 | - /* Sanity checking of checkpoint */ | ||
311 | - if (sanity_check_ckpt(sbi)) | ||
312 | - goto free_fail_no_cp; | ||
313 | - | ||
314 | if (cur_page == cp1) | ||
315 | sbi->cur_cp_pack = 1; | ||
316 | else | ||
317 | sbi->cur_cp_pack = 2; | ||
318 | |||
319 | + /* Sanity checking of checkpoint */ | ||
320 | + if (sanity_check_ckpt(sbi)) | ||
321 | + goto free_fail_no_cp; | ||
322 | + | ||
323 | if (cp_blks <= 1) | ||
324 | goto done; | ||
325 | |||
326 | diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c | ||
327 | index 75af507273a4..cf3830474c22 100644 | ||
328 | --- a/fs/f2fs/super.c | ||
329 | +++ b/fs/f2fs/super.c | ||
330 | @@ -1885,6 +1885,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) | ||
331 | unsigned int main_segs, blocks_per_seg; | ||
332 | unsigned int log_blocks_per_seg; | ||
333 | unsigned int segment_count_main; | ||
334 | + unsigned int cp_pack_start_sum, cp_payload; | ||
335 | block_t user_block_count; | ||
336 | int i; | ||
337 | |||
338 | @@ -1932,6 +1933,17 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) | ||
339 | return 1; | ||
340 | } | ||
341 | |||
342 | + cp_pack_start_sum = __start_sum_addr(sbi); | ||
343 | + cp_payload = __cp_payload(sbi); | ||
344 | + if (cp_pack_start_sum < cp_payload + 1 || | ||
345 | + cp_pack_start_sum > blocks_per_seg - 1 - | ||
346 | + NR_CURSEG_TYPE) { | ||
347 | + f2fs_msg(sbi->sb, KERN_ERR, | ||
348 | + "Wrong cp_pack_start_sum: %u", | ||
349 | + cp_pack_start_sum); | ||
350 | + return 1; | ||
351 | + } | ||
352 | + | ||
353 | if (unlikely(f2fs_cp_error(sbi))) { | ||
354 | f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); | ||
355 | return 1; | ||
356 | -- | ||
357 | 2.19.2 | ||