1. Patchew
  2. linux
  3. View series

[PATCH] f2fs-tools: fix heap-buffer-overflow of reading SSA from checkpoint area

Daeho Jeong posted 1 patch 1 month ago 
fsck/mount.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] f2fs-tools: fix heap-buffer-overflow of reading SSA from checkpoint area
Posted by Daeho Jeong 1 month ago 
From: Daeho Jeong <daehojeong@google.com>

Reproduction:
truncate -s 512M overflow.img
./out/host/linux-x86/bin/make_f2fs -g android -b 16384 -w 16384 -O packed_ssa overflow.img
mkdir -p empty_dir
export ASAN_OPTIONS=detect_leaks=0:abort_on_error=1
./out/host/linux-x86/bin/sload_f2fs -f empty_dir -t /data overflow.img

Result:
==306082==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7df5201e2500 at pc 0x5567ea010583 bp 0x7ffc3386c210 sp 0x7ffc3386b9d8
READ of size 16384 at 0x7df5201e2500 thread T0

Even though we can reduce the summary block to 4KB, we need to maintain
backward compatibility for the checkpoint area. Therefore, the summary
block there must match the block size, so it is correct to use F2FS_BLKSIZE.

Fixes: ad1357c34023 ("f2fs-tools: revert summary entry count from 2048 to 512 in 16kb block support")
Reported-by: Maxim Pleshivenkov <mpleshivenkov@google.com>
Signed-off-by: Daeho Jeong <daehojeong@google.com>
---
 fsck/mount.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fsck/mount.c b/fsck/mount.c
index 6f640a0..fdf3f02 100644
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -2249,7 +2249,7 @@ static int build_curseg(struct f2fs_sb_info *sbi)
 	SM_I(sbi)->curseg_array = array;
 
 	for (i = 0; i < NR_CURSEG_TYPE; i++) {
-		array[i].sum_blk = calloc(F2FS_SUM_BLKSIZE, 1);
+		array[i].sum_blk = calloc(F2FS_BLKSIZE, 1);
 		if (!array[i].sum_blk) {
 			MSG(1, "\tError: Calloc failed for build_curseg!!\n");
 			goto seg_cleanup;
-- 
2.53.0.473.g4a7958ca14-goog
Re: [f2fs-dev] [PATCH] f2fs-tools: fix heap-buffer-overflow of reading SSA from checkpoint area
Posted by Chao Yu 1 month ago 
On 2026/3/4 01:00, Daeho Jeong wrote:
> From: Daeho Jeong <daehojeong@google.com>
> 
> Reproduction:
> truncate -s 512M overflow.img
> ./out/host/linux-x86/bin/make_f2fs -g android -b 16384 -w 16384 -O packed_ssa overflow.img
> mkdir -p empty_dir
> export ASAN_OPTIONS=detect_leaks=0:abort_on_error=1
> ./out/host/linux-x86/bin/sload_f2fs -f empty_dir -t /data overflow.img
> 
> Result:
> ==306082==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7df5201e2500 at pc 0x5567ea010583 bp 0x7ffc3386c210 sp 0x7ffc3386b9d8
> READ of size 16384 at 0x7df5201e2500 thread T0
> 
> Even though we can reduce the summary block to 4KB, we need to maintain
> backward compatibility for the checkpoint area. Therefore, the summary
> block there must match the block size, so it is correct to use F2FS_BLKSIZE.
> 
> Fixes: ad1357c34023 ("f2fs-tools: revert summary entry count from 2048 to 512 in 16kb block support")
> Reported-by: Maxim Pleshivenkov <mpleshivenkov@google.com>
> Signed-off-by: Daeho Jeong <daehojeong@google.com>

Reviewed-by: Chao Yu <chao@kernel.org>

Thanks,

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.