xfs: fix log recovery buffer allocation for the legacy h_size fixup
[ Upstream commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a ]
Note: The upstream commit was adjusted to use kmem_free instead of
kvfree since kmem_free was used in xfs_log_recover.c until commit
49292576136f (xfs: convert kmem_free() for kvmalloc users to
kvfree()), and the remainder of the file still uses kmem_free.
Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by
mkfs") added a fixup for incorrect h_size values used for the initial
umount record in old xfsprogs versions. Later commit 0c771b99d6c9
("xfs: clean up calculation of LR header blocks") cleaned up the log
reover buffer calculation, but stoped using the fixed up h_size value
to size the log recovery buffer, which can lead to an out of bounds
access when the incorrect h_size does not come from the old mkfs
tool, but a fuzzer.
Fix this by open coding xlog_logrec_hblks and taking the fixed h_size
into account for this calculation.
BUG=b/352002665
TEST=presubmit, xfstests on stable kernel
RELEASE_NOTE=Fixed CVE-2024-39472 in the linux kernel
cos-patch: security-moderate
Fixes: 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks")
Reported-by: Sam Sun <samsun1006219@gmail.com>
Change-Id: I1fc6411763005d2d199f98ed78bb64983fb0e99a
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/78499
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
1 file changed
