Unverified Commit 5387ce29 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!10759 Fix CVE-2024-42160 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zheng Zucheng <zhengzucheng@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ETFDC4BLBXXZN42YL2OGMOBQB5ZSXTTW/ 
Fix CVE-2024-42160

Chao Yu (1):
  f2fs: check validation of fault attrs in f2fs_build_fault_attr()

Nathan Chancellor (1):
  f2fs: Add inline to f2fs_build_fault_attr() stub


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IAGS16 
 
Link:https://gitee.com/openeuler/kernel/pulls/10759

 

Reviewed-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 152a72b4 d7db19a7

fs/f2fs/f2fs.h

+8 −4
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ enum { 


struct f2fs_fault_info {

	atomic_t inject_ops;

	unsigned int inject_rate;

	int inject_rate;

	unsigned int inject_type;

};
@@ -4115,10 +4115,14 @@ static inline bool f2fs_force_buffered_io(struct inode *inode, 
}



#ifdef CONFIG_F2FS_FAULT_INJECTION

extern void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,

							unsigned int type);

extern int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,

							unsigned long type);

#else

#define f2fs_build_fault_attr(sbi, rate, type)		do { } while (0)

static inline int f2fs_build_fault_attr(struct f2fs_sb_info *sbi,

					unsigned long rate, unsigned long type)

{

	return 0;

}

#endif



static inline bool is_journalled_quota(struct f2fs_sb_info *sbi)

fs/f2fs/super.c

+20 −7
Original line number Diff line number Diff line
@@ -58,21 +58,31 @@ const char *f2fs_fault_name[FAULT_MAX] = { 
	[FAULT_WRITE_IO]	= "write IO error",

};



void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,

							unsigned int type)

int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,

							unsigned long type)

{

	struct f2fs_fault_info *ffi = &F2FS_OPTION(sbi).fault_info;



	if (rate) {

		if (rate > INT_MAX)

			return -EINVAL;

		atomic_set(&ffi->inject_ops, 0);

		ffi->inject_rate = rate;

		ffi->inject_rate = (int)rate;

	}



	if (type)

		ffi->inject_type = type;

	if (type) {

		if (type >= BIT(FAULT_MAX))

			return -EINVAL;

		ffi->inject_type = (unsigned int)type;

	}



	if (!rate && !type)

		memset(ffi, 0, sizeof(struct f2fs_fault_info));

	else

		f2fs_info(sbi,

			"build fault injection attr: rate: %lu, type: 0x%lx",

								rate, type);

	return 0;

}

#endif
@@ -728,14 +738,17 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) 
		case Opt_fault_injection:

			if (args->from && match_int(args, &arg))

				return -EINVAL;

			f2fs_build_fault_attr(sbi, arg, F2FS_ALL_FAULT_TYPE);

			if (f2fs_build_fault_attr(sbi, arg,

					F2FS_ALL_FAULT_TYPE))

				return -EINVAL;

			set_opt(sbi, FAULT_INJECTION);

			break;



		case Opt_fault_type:

			if (args->from && match_int(args, &arg))

				return -EINVAL;

			f2fs_build_fault_attr(sbi, 0, arg);

			if (f2fs_build_fault_attr(sbi, 0, arg))

				return -EINVAL;

			set_opt(sbi, FAULT_INJECTION);

			break;

#else

fs/f2fs/sysfs.c

+10 −4
Original line number Diff line number Diff line
@@ -322,10 +322,16 @@ static ssize_t __sbi_store(struct f2fs_attr *a, 
	if (ret < 0)

		return ret;

#ifdef CONFIG_F2FS_FAULT_INJECTION

	if (a->struct_type == FAULT_INFO_TYPE && t >= (1 << FAULT_MAX))

	if (a->struct_type == FAULT_INFO_TYPE) {

		if (f2fs_build_fault_attr(sbi, 0, t))

			return -EINVAL;

	if (a->struct_type == FAULT_INFO_RATE && t >= UINT_MAX)

		return count;

	}

	if (a->struct_type == FAULT_INFO_RATE) {

		if (f2fs_build_fault_attr(sbi, t, 0))

			return -EINVAL;

		return count;

	}

#endif

	if (a->struct_type == RESERVED_BLOCKS) {

		spin_lock(&sbi->stat_lock);