[PATCH OLK-5.10] exfat: fix out-of-bounds access of directory entries - Kernel

27 Dec 2024

From: Yuezhang Mo Yuezhang.Mo@sony.com
mainline inclusion
from mainline-v6.10-rc2
commit 184fa506e392eb78364d9283c961217ff2c0617b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGB
CVE: CVE-2024-53147
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
In the case of the directory size is greater than or equal to
the cluster size, if start_clu becomes an EOF cluster(an invalid
cluster) due to file system corruption, then the directory entry
where ei->hint_femp.eidx hint is outside the directory, resulting
in an out-of-bounds access, which may cause further file system
corruption.
This commit adds a check for start_clu, if it is an invalid cluster,
the file or directory will be treated as empty.
Cc: stable@vger.kernel.org
Signed-off-by: Yuezhang Mo Yuezhang.Mo@sony.com
Co-developed-by: Namjae Jeon linkinjeon@kernel.org
Signed-off-by: Namjae Jeon linkinjeon@kernel.org
Conflicts:
    fs/exfat/namei.c
[Conflicts due to not merge 11a347fb6cef ("exfat: change to get file
size from DataLength")]
Signed-off-by: Long Li leo.lilong@huawei.com
---
 fs/exfat/namei.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index d62d961e278d..5b78b9ba417e 100644
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -655,13 +655,19 @@ static int exfat_find(struct inode *dir, struct qstr *qname,
    info->type = exfat_get_entry_type(ep);
    info->attr = le16_to_cpu(ep->dentry.file.attr);
    info->size = le64_to_cpu(ep2->dentry.stream.valid_size);
+
+	info->start_clu = le32_to_cpu(ep2->dentry.stream.start_clu);
+	if (!is_valid_cluster(sbi, info->start_clu) && info->size) {
+		exfat_warn(sb, "start_clu is invalid cluster(0x%x)",
+				info->start_clu);
+		info->size = 0;
+	}
+
    if (info->size == 0) {
    	info->flags = ALLOC_NO_FAT_CHAIN;
    	info->start_clu = EXFAT_EOF_CLUSTER;
    } else {
    	info->flags = ep2->dentry.stream.flags;
-		info->start_clu =
-			le32_to_cpu(ep2->dentry.stream.start_clu);
    }
exfat_get_entry_time(sbi, &info->crtime,
-- 
2.39.2


    