CVE-2022-49363

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to do sanity check on block address in f2fsdozero_range()

As Yanming reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215894

I have encountered a bug in F2FS file system in kernel v5.17.

I have uploaded the system call sequence as case.c, and a fuzzed image can be found in google net disk

The kernel should enable CONFIGKASAN=y and CONFIGKASAN_INLINE=y. You can reproduce the bug by running the following commands:

kernel BUG at fs/f2fs/segment.c:2291! Call Trace: f2fsinvalidateblocks+0x193/0x2d0 f2fsfallocate+0x2593/0x4a70 vfsfallocate+0x2a5/0xac0 ksys_fallocate+0x35/0x70 __x64sysfallocate+0x8e/0xf0 dosyscall64+0x3b/0x90 entrySYSCALL64afterhwframe+0x44/0xae

The root cause is, after image was fuzzed, block mapping info in inode will be inconsistent with SIT table, so in f2fs_fallocate(), it will cause panic when updating SIT with invalid blkaddr.

Let's fix the issue by adding sanity check on block address before updating SIT table with it.