f2fs: check validation of fault attrs in f2fs_build_fault_attr()

[ Upstream commit 4ed886b187f47447ad559619c48c086f432d2b77 ]

Fix CVE: CVE-2024-42160

- It missed to check validation of fault attrs in parse_options(),
let's fix to add check condition in f2fs_build_fault_attr().
- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.

Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Haisu Wang <haisuwang@tencent.com>
Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
This commit is contained in:
Chao Yu 2024-05-07 11:38:47 +08:00 committed by Jianping Liu
parent 26c7e4d609
commit e6aa61ffba
3 changed files with 38 additions and 15 deletions

View File

@ -63,7 +63,7 @@ enum {
struct f2fs_fault_info {
atomic_t inject_ops;
unsigned int inject_rate;
int inject_rate;
unsigned int inject_type;
};
@ -3762,10 +3762,14 @@ static inline bool f2fs_force_buffered_io(struct inode *inode,
}
#ifdef CONFIG_F2FS_FAULT_INJECTION
extern void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,
unsigned int type);
extern int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
unsigned long type);
#else
#define f2fs_build_fault_attr(sbi, rate, type) do { } while (0)
static int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
unsigned long type)
{
return 0;
}
#endif
static inline bool is_journalled_quota(struct f2fs_sb_info *sbi)

View File

@ -57,21 +57,31 @@ const char *f2fs_fault_name[FAULT_MAX] = {
[FAULT_WRITE_IO] = "write IO error",
};
void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,
unsigned int type)
int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
unsigned long type)
{
struct f2fs_fault_info *ffi = &F2FS_OPTION(sbi).fault_info;
if (rate) {
if (rate > INT_MAX)
return -EINVAL;
atomic_set(&ffi->inject_ops, 0);
ffi->inject_rate = rate;
ffi->inject_rate = (int)rate;
}
if (type)
ffi->inject_type = type;
if (type) {
if (type >= BIT(FAULT_MAX))
return -EINVAL;
ffi->inject_type = (unsigned int)type;
}
if (!rate && !type)
memset(ffi, 0, sizeof(struct f2fs_fault_info));
else
f2fs_info(sbi,
"build fault injection attr: rate: %lu, type: 0x%lx",
rate, type);
return 0;
}
#endif
@ -673,14 +683,17 @@ static int parse_options(struct super_block *sb, char *options)
case Opt_fault_injection:
if (args->from && match_int(args, &arg))
return -EINVAL;
f2fs_build_fault_attr(sbi, arg, F2FS_ALL_FAULT_TYPE);
if (f2fs_build_fault_attr(sbi, arg,
F2FS_ALL_FAULT_TYPE))
return -EINVAL;
set_opt(sbi, FAULT_INJECTION);
break;
case Opt_fault_type:
if (args->from && match_int(args, &arg))
return -EINVAL;
f2fs_build_fault_attr(sbi, 0, arg);
if (f2fs_build_fault_attr(sbi, 0, arg))
return -EINVAL;
set_opt(sbi, FAULT_INJECTION);
break;
#else

View File

@ -254,10 +254,16 @@ out:
if (ret < 0)
return ret;
#ifdef CONFIG_F2FS_FAULT_INJECTION
if (a->struct_type == FAULT_INFO_TYPE && t >= (1 << FAULT_MAX))
if (a->struct_type == FAULT_INFO_TYPE) {
if (f2fs_build_fault_attr(sbi, 0, t))
return -EINVAL;
if (a->struct_type == FAULT_INFO_RATE && t >= UINT_MAX)
return count;
}
if (a->struct_type == FAULT_INFO_RATE) {
if (f2fs_build_fault_attr(sbi, t, 0))
return -EINVAL;
return count;
}
#endif
if (a->struct_type == RESERVED_BLOCKS) {
spin_lock(&sbi->stat_lock);