Commit b0241d47 authored by Yuezhang Mo's avatar Yuezhang Mo Committed by Long Li
Browse files

exfat: fix out-of-bounds access of directory entries 

mainline inclusion
from mainline-v6.10-rc2
commit 184fa506e392eb78364d9283c961217ff2c0617b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGB
CVE: CVE-2024-53147

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=184fa506e392eb78364d9283c961217ff2c0617b



--------------------------------

In the case of the directory size is greater than or equal to
the cluster size, if start_clu becomes an EOF cluster(an invalid
cluster) due to file system corruption, then the directory entry
where ei->hint_femp.eidx hint is outside the directory, resulting
in an out-of-bounds access, which may cause further file system
corruption.

This commit adds a check for start_clu, if it is an invalid cluster,
the file or directory will be treated as empty.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarYuezhang Mo <Yuezhang.Mo@sony.com>
Co-developed-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>

Conflicts:
	fs/exfat/namei.c
[Conflicts due to not merge 11a347fb6cef ("exfat: change to get file
size from DataLength")]
Signed-off-by: default avatarLong Li <leo.lilong@huawei.com>
parent 16a0cbac

fs/exfat/namei.c

+8 −2
Original line number Diff line number Diff line
@@ -656,13 +656,19 @@ static int exfat_find(struct inode *dir, struct qstr *qname, 
	info->type = exfat_get_entry_type(ep);

	info->attr = le16_to_cpu(ep->dentry.file.attr);

	info->size = le64_to_cpu(ep2->dentry.stream.valid_size);



	info->start_clu = le32_to_cpu(ep2->dentry.stream.start_clu);

	if (!is_valid_cluster(sbi, info->start_clu) && info->size) {

		exfat_warn(sb, "start_clu is invalid cluster(0x%x)",

				info->start_clu);

		info->size = 0;

	}



	if (info->size == 0) {

		info->flags = ALLOC_NO_FAT_CHAIN;

		info->start_clu = EXFAT_EOF_CLUSTER;

	} else {

		info->flags = ep2->dentry.stream.flags;

		info->start_clu =

			le32_to_cpu(ep2->dentry.stream.start_clu);

	}



	exfat_get_entry_time(sbi, &info->crtime,