In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on ixattrnid in sanitycheckinode()
syzbot reports a kernel bug as below:
BUG: KASAN: slab-out-of-bounds in f2fstestbit fs/f2fs/f2fs.h:2933 [inline] BUG: KASAN: slab-out-of-bounds in currentnataddr fs/f2fs/node.h:213 [inline] BUG: KASAN: slab-out-of-bounds in f2fsgetnode_info+0xece/0x1200 fs/f2fs/node.c:600 Read of size 1 at addr ffff88807a58c76c by task syz-executor280/5076
CPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:114 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 f2fstestbit fs/f2fs/f2fs.h:2933 [inline] currentnataddr fs/f2fs/node.h:213 [inline] f2fsgetnodeinfo+0xece/0x1200 fs/f2fs/node.c:600 f2fsxattrfiemap fs/f2fs/data.c:1848 [inline] f2fsfiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925 ioctlfiemap fs/ioctl.c:220 [inline] dovfsioctl+0x1c07/0x2e50 fs/ioctl.c:838 _dosysioctl fs/ioctl.c:902 [inline] _sesysioctl+0x81/0x170 fs/ioctl.c:890 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf5/0x240 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f
The root cause is we missed to do sanity check on ixattrnid during f2fsiget(), so that in fiemap() path, currentnataddr() will access natbitmap w/ offset from invalid ixattrnid, result in triggering kasan bug report, fix it.