From: Haimin Zhang <tcs_kernel@xxxxxxxxxxx>
There is an out of bounds bug in the exfat_clear_bitmap function
in fs/exfat/balloc.c. Because the index of vol_amap array isn't
verified. The function could be called by __exfat_free_cluster
function, and the p_chain->dir variable which could be controlled
by user can be large, that will eventually lead to out of bounds
read. So we should check the index before entering the function.
Signed-off-by: Haimin Zhang <tcs_kernel@xxxxxxxxxxx>
Signed-off-by: yanzhiqiang <zhiqiangyan@xxxxxxxxxxx>
---
fs/exfat/fatent.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index e949e56..5ce524d 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -157,6 +157,7 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
struct super_block *sb = inode->i_sb;
struct exfat_sb_info *sbi = EXFAT_SB(sb);
int cur_cmap_i, next_cmap_i;
+ int chain_i;
unsigned int num_clusters = 0;
unsigned int clu;
@@ -176,6 +177,13 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
return -EIO;
}
+ /* check size */
+ chain_i = BITMAP_OFFSET_SECTOR_INDEX(sb,
+ CLUSTER_TO_BITMAP_ENT(p_chain->size + p_chain->dir));
+ if (chain_i > sbi->map_sectors) {
+ exfat_err(sb, "invalid start size (%u)", p_chain->size);
+ return -EIO;
+ }
+
clu = p_chain->dir;
cur_cmap_i = next_cmap_i =
--
1.8.3.1
