|
| 1 | +xfs: fix log recovery buffer allocation for the legacy h_size fixup |
| 2 | + |
| 3 | +jira LE-2015 |
| 4 | +cve CVE-2024-39472 |
| 5 | +Rebuild_History Non-Buildable kernel-5.14.0-427.42.1.el9_4 |
| 6 | +commit-author Christoph Hellwig <hch@lst.de> |
| 7 | +commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a |
| 8 | +Empty-Commit: Cherry-Pick Conflicts during history rebuild. |
| 9 | +Will be included in final tarball splat. Ref for failed cherry-pick at: |
| 10 | +ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/45cf9760.failed |
| 11 | + |
| 12 | +Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by |
| 13 | +mkfs") added a fixup for incorrect h_size values used for the initial |
| 14 | +umount record in old xfsprogs versions. Later commit 0c771b99d6c9 |
| 15 | +("xfs: clean up calculation of LR header blocks") cleaned up the log |
| 16 | +reover buffer calculation, but stoped using the fixed up h_size value |
| 17 | +to size the log recovery buffer, which can lead to an out of bounds |
| 18 | +access when the incorrect h_size does not come from the old mkfs |
| 19 | +tool, but a fuzzer. |
| 20 | + |
| 21 | +Fix this by open coding xlog_logrec_hblks and taking the fixed h_size |
| 22 | +into account for this calculation. |
| 23 | + |
| 24 | +Fixes: 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") |
| 25 | + Reported-by: Sam Sun <samsun1006219@gmail.com> |
| 26 | + Signed-off-by: Christoph Hellwig <hch@lst.de> |
| 27 | + Reviewed-by: Brian Foster <bfoster@redhat.com> |
| 28 | + Reviewed-by: "Darrick J. Wong" <djwong@kernel.org> |
| 29 | + Signed-off-by: Chandan Babu R <chandanbabu@kernel.org> |
| 30 | +(cherry picked from commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a) |
| 31 | + Signed-off-by: Jonathan Maple <jmaple@ciq.com> |
| 32 | + |
| 33 | +# Conflicts: |
| 34 | +# fs/xfs/xfs_log_recover.c |
| 35 | +diff --cc fs/xfs/xfs_log_recover.c |
| 36 | +index 82c81d20459d,bb8957927c3c..000000000000 |
| 37 | +--- a/fs/xfs/xfs_log_recover.c |
| 38 | ++++ b/fs/xfs/xfs_log_recover.c |
| 39 | +@@@ -3015,10 -3055,19 +3015,26 @@@ xlog_do_recovery_pass |
| 40 | + if (error) |
| 41 | + goto bread_err1; |
| 42 | + |
| 43 | +++<<<<<<< HEAD |
| 44 | + + hblks = xlog_logrec_hblks(log, rhead); |
| 45 | + + if (hblks != 1) { |
| 46 | + + kmem_free(hbp); |
| 47 | + + hbp = xlog_alloc_buffer(log, hblks); |
| 48 | +++======= |
| 49 | ++ /* |
| 50 | ++ * This open codes xlog_logrec_hblks so that we can reuse the |
| 51 | ++ * fixed up h_size value calculated above. Without that we'd |
| 52 | ++ * still allocate the buffer based on the incorrect on-disk |
| 53 | ++ * size. |
| 54 | ++ */ |
| 55 | ++ if (h_size > XLOG_HEADER_CYCLE_SIZE && |
| 56 | ++ (rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) { |
| 57 | ++ hblks = DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE); |
| 58 | ++ if (hblks > 1) { |
| 59 | ++ kvfree(hbp); |
| 60 | ++ hbp = xlog_alloc_buffer(log, hblks); |
| 61 | ++ } |
| 62 | +++>>>>>>> 45cf976008dd (xfs: fix log recovery buffer allocation for the legacy h_size fixup) |
| 63 | + } |
| 64 | + } else { |
| 65 | + ASSERT(log->l_sectBBsize == 1); |
| 66 | +* Unmerged path fs/xfs/xfs_log_recover.c |
0 commit comments