CVE-2022-50753

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to do sanity check on summary info

As Wenqing Liu reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=216456

BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs] Read of size 4 at addr ffff8881464dcd80 by task mount/1013

CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: dumpstacklvl+0x45/0x5e printreport.cold+0xf3/0x68d kasanreport+0xa8/0x130 recoverdata+0x63ae/0x6ae0 [f2fs] f2fsrecoverfsyncdata+0x120d/0x1fc0 [f2fs] f2fsfillsuper+0x4665/0x61e0 [f2fs] mountbdev+0x2cf/0x3b0 legacygettree+0xed/0x1d0 vfsgettree+0x81/0x2b0 pathmount+0x47e/0x19d0 do_mount+0xce/0xf0 __x64sysmount+0x12c/0x1a0 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x63/0xcd

The root cause is: in fuzzed image, SSA table is corrupted: ofsinnode is larger than ADDRSPERPAGE(), result in out-of-range access on 4k-size page.

• recover_data
  • dorecoverdata
    • checkindexinprevnodes
      • f2fsdatablkaddr

This patch adds sanity check on summary info in recovery and GC flow in where the flows rely on them.

After patch: [ 29.310883] F2FS-fs (loop0): Inconsistent ofsinnode:65286 in summary, ino:0, nid:6, max:1018