ext4: fix potential out of bound read in ext4_fc_replay_scan()

For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain
space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read
when mounting corrupt file system image.
ADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this
three tags will read data during scan, tag length couldn't less than data length
which will read.

Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/r/20220924075233.2315259-4-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index 54622005a0c8d5b4273247d7df4253245e889097..ef05bfa87798c12f2ebba8ff56ee58a5ab5343bf 100644 (file)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1976,6 +1976,34 @@ void ext4_fc_replay_cleanup(struct super_block *sb)
        kfree(sbi->s_fc_replay_state.fc_modified_inodes);
 }
 
+static inline bool ext4_fc_tag_len_isvalid(struct ext4_fc_tl *tl,
+                                          u8 *val, u8 *end)
+{
+       if (val + tl->fc_len > end)
+               return false;
+
+       /* Here only check ADD_RANGE/TAIL/HEAD which will read data when do
+        * journal rescan before do CRC check. Other tags length check will
+        * rely on CRC check.
+        */
+       switch (tl->fc_tag) {
+       case EXT4_FC_TAG_ADD_RANGE:
+               return (sizeof(struct ext4_fc_add_range) == tl->fc_len);
+       case EXT4_FC_TAG_TAIL:
+               return (sizeof(struct ext4_fc_tail) <= tl->fc_len);
+       case EXT4_FC_TAG_HEAD:
+               return (sizeof(struct ext4_fc_head) == tl->fc_len);
+       case EXT4_FC_TAG_DEL_RANGE:
+       case EXT4_FC_TAG_LINK:
+       case EXT4_FC_TAG_UNLINK:
+       case EXT4_FC_TAG_CREAT:
+       case EXT4_FC_TAG_INODE:
+       case EXT4_FC_TAG_PAD:
+       default:
+               return true;
+       }
+}
+
 /*
  * Recovery Scan phase handler
  *
@@ -2032,10 +2060,15 @@ static int ext4_fc_replay_scan(journal_t *journal,
        }
 
        state->fc_replay_expected_off++;
-       for (cur = start; cur < end;
+       for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN;
             cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) {
                ext4_fc_get_tl(&tl, cur);
                val = cur + EXT4_FC_TAG_BASE_LEN;
+               if (!ext4_fc_tag_len_isvalid(&tl, val, end)) {
+                       ret = state->fc_replay_num_tags ?
+                               JBD2_FC_REPLAY_STOP : -ECANCELED;
+                       goto out_err;
+               }
                ext4_debug("Scan phase, tag:%s, blk %lld\n",
                           tag2str(tl.fc_tag), bh->b_blocknr);
                switch (tl.fc_tag) {
@@ -2146,7 +2179,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh,
        start = (u8 *)bh->b_data;
        end = (__u8 *)bh->b_data + journal->j_blocksize - 1;
 
-       for (cur = start; cur < end;
+       for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN;
             cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) {
                ext4_fc_get_tl(&tl, cur);
                val = cur + EXT4_FC_TAG_BASE_LEN;
@@ -2156,6 +2189,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh,
                        ext4_fc_set_bitmaps_and_counters(sb);
                        break;
                }
+
                ext4_debug("Replay phase, tag:%s\n", tag2str(tl.fc_tag));
                state->fc_replay_num_tags--;
                switch (tl.fc_tag) {