f2fs: fix out-of-bounds read in update_free_nid_bitmap

test_bit will access with unsigned long, which cause this bug. Workaround by enlarge free_nid_bitmap. BUG: KASAN: slab-out-of-bounds in update_free_nid_bitmap+0x98/0x16c Read of size 8 at addr ffffffc06275c9ff by task init/195 CPU: 3 PID: 195 Comm: init Not tainted 4.4.114 hardkernel#55 Hardware name: Rockchip rk3326 evb board (DT) Call trace: dump_backtrace+0x0/0x244 show_stack+0x14/0x1c dump_stack+0xa4/0xcc print_address_description+0xa4/0x308 kasan_report+0x258/0x29c __asan_load8+0x78/0x80 update_free_nid_bitmap+0x98/0x16c build_node_manager+0x884/0x950 f2fs_fill_super+0x14bc/0x1ca8 mount_bdev+0x174/0x208 f2fs_mount+0x14/0x1c mount_fs+0xbc/0x1b0 vfs_kern_mount+0xbc/0x1c8 do_mount+0xcf0/0xe68 SyS_mount+0x94/0xe0 el0_svc_naked+0x24/0x28 Change-Id: I9167447ded0a8c2da1b80cdc671615c9108c02be Signed-off-by: Tao Huang <huangtao@rock-chips.com>
peak3d · Feb 23, 2018 · 921df26 · 921df26
1 parent bc6e99f
commit 921df26
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
@@ -2731,7 +2731,8 @@ static int init_free_nid_cache(struct f2fs_sb_info *sbi)
 	struct f2fs_nm_info *nm_i = NM_I(sbi);
 
 	nm_i->free_nid_bitmap = kvzalloc(nm_i->nat_blocks *
-					NAT_ENTRY_BITMAP_SIZE, GFP_KERNEL);
+					NAT_ENTRY_BITMAP_SIZE +
+					sizeof(unsigned long), GFP_KERNEL);
 	if (!nm_i->free_nid_bitmap)
 		return -ENOMEM;