Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential memory corruption in __update_iostat_latency() Add iotype sanity check to avoid potential memory corruption. This is to fix the compile error below: fs/f2fs/iostat.c:231 __update_iostat_latency() error: buffer overflow 'io_lat->peak_lat[type]' 3 <= 3 vim +228 fs/f2fs/iostat.c 211 static inline void __update_iostat_latency(struct bio_iostat_ctx *iostat_ctx, 212 enum iostat_lat_type type) 213 { 214 unsigned long ts_diff; 215 unsigned int page_type = iostat_ctx->type; 216 struct f2fs_sb_info *sbi = iostat_ctx->sbi; 217 struct iostat_lat_info *io_lat = sbi->iostat_io_lat; 218 unsigned long flags; 219 220 if (!sbi->iostat_enable) 221 return; 222 223 ts_diff = jiffies - iostat_ctx->submit_ts; 224 if (page_type >= META_FLUSH) ^^^^^^^^^^ 225 page_type = META; 226 227 spin_lock_irqsave(&sbi->iostat_lat_lock, flags); @228 io_lat->sum_lat[type][page_type] += ts_diff; ^^^^^^^^^ Mixup between META_FLUSH and NR_PAGE_TYPE leads to memory corruption.
Product status
a4b6817625e71d5d4aee16cacf7a7fec077c6dbe (git) before aa4d726af72a21732ce120484e0b1240674a13b3
a4b6817625e71d5d4aee16cacf7a7fec077c6dbe (git) before 22ddbbff116ee7dce5431feb1c0f36a507d2d68d
a4b6817625e71d5d4aee16cacf7a7fec077c6dbe (git) before 20b4f3de0f3932f71b4a8daf0671e517a8d98022
a4b6817625e71d5d4aee16cacf7a7fec077c6dbe (git) before 0dbbf0fb38d5ec5d4138d1aeaeb43d9217b9a592
5.15
Any version before 5.15
5.15.100 (semver)
6.1.18 (semver)
6.2.5 (semver)
6.3 (original_commit_for_fix)
References
git.kernel.org/...c/aa4d726af72a21732ce120484e0b1240674a13b3
git.kernel.org/...c/22ddbbff116ee7dce5431feb1c0f36a507d2d68d
git.kernel.org/...c/20b4f3de0f3932f71b4a8daf0671e517a8d98022
git.kernel.org/...c/0dbbf0fb38d5ec5d4138d1aeaeb43d9217b9a592
