From nobody Thu Apr 9 18:03:28 2026 Received: from mail-dy1-f180.google.com (mail-dy1-f180.google.com [74.125.82.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6FB76FBF for ; Tue, 3 Mar 2026 17:00:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772557247; cv=none; b=WnJAi58xaQjfWgjgdRBlmQxxQYlTTrNcjXVRs890iA3G8RwvmHzVfj3SNeqp2dL/gLQVBUPEk8HM3nt5FiHAmOMrMmYZunbvvdUXuRGIhEk+NEFYcUAewrT0cY0U/JbnZsdysweYKW816D9faL+WMtpSQl2gr14cfKBrx/8sNhg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772557247; c=relaxed/simple; bh=giyNsmDjfPm4/qlVSMX6CE/CFBgix1hL59K9cYwV2UE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=St2O5yVj0t3dB49WCx5zUWsG6U3wZPBlqOBB8z1WiRSOkdvjaYN9GtPce6v4E265AJMv1SnHkWWa3cf2tfGmov+Md9VkSvikZPWWETgUuO1x7GahaOlCz7G6n35uGMJ/2Iykbi9Z1yTdZxxCdxkk4zBjHc5WkuDY0kUukPFUcTE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=H6l4C4cI; arc=none smtp.client-ip=74.125.82.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="H6l4C4cI" Received: by mail-dy1-f180.google.com with SMTP id 5a478bee46e88-2be27fa54feso818719eec.0 for ; Tue, 03 Mar 2026 09:00:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772557245; x=1773162045; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tj6fIquSOaaQ0P/+SLzTmxxrpec92S8HSHsRgt4PK4E=; b=H6l4C4cIJ9M3qU45E9m0tzXUzdnnPDRwCMrvUBF6XpD4slHeja1/wHEQpdTYUfQyj5 2V5b+c8K3CETwyJYVj1y6tIWXo0h6S1WeYkgc1iOoZmAgOK4zMtYAqYjcZ2EO0M/SezQ Emq4TDN1XLt+cmZKovwVvvEABBX3uH7sahJqGfWY+95kJQN2AEf/tCkeENHembr52pGB 8VgdOLj8wWGpn+LvLkU1cLnTxPOZGj3mewFxON03koVFme6QfHkEw7QJnyuyjSxx0vPl WqFNiv+ynWSErwXChTT276HJk0Kr31ST5NmLW3bM/I/4n+HCP+9xVBkxqfV+mfQtnTe2 b3ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772557245; x=1773162045; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tj6fIquSOaaQ0P/+SLzTmxxrpec92S8HSHsRgt4PK4E=; b=LsT3HU5KtAHeV1ATJyadVlWRhRBCvEyekrkUUkwgIj78o6o/5fjrwJjpaaR6QuNWOk WEwzziJ6aeOcPNZezM0B8nbf7RjXv9UjF8IKxOmwr5ITTlvvRizByHvlwwM68dxN6Dat 5N4kNxlMK9hGRZHK+FYcgLgosFneJ/N9jFVxuNIQCUnmw8HPIUSzzRhsmaU2cPNjROXt 6Lw/gZEq3ulsrJcUPS7LoGoQmYU3nD+ekuu571Z4Wx6nIGYSFrOYvL8u3q2rXmzTgo5h N/TZ0VjrrVfOJDZRSp6ITwGssWIJx8YWqAeRl7idQRSs19jRtWFkkK8BBPJUGucJzLaC QLIw== X-Gm-Message-State: AOJu0YxcVzZQLb/4djSYOyK8MsxX51YHpsHusXKXROv0xOMcPteZrU1W yEnsjfDlYpdy60Y39LWZMWJe0KbVpdn2/y3a6RT14i1TywIzb/OC+HqOe1BMiw== X-Gm-Gg: ATEYQzxx4ywUTZifg+qJzduTomDGbfxj8G9Xpr0y8NQIFuMcP9Q9tYZfwHZCk/tCICV c2202N+eGXHYC9JKMOl4/1kYzI/IjmFUdTcDxjYCv0YV+m99jhzdk8VfPEstrHtRkrQY7ElUw1D s6f/B5K0SpdJTy8UiQ2tOkTgvgiKK6nq3kril6yAmDT9zzVk4/CalSjr2xcda9JQNoBBa6v6Dl3 z/nXxMuPlz+y2Nv1MaXBsUizxgBLYyIMEasZXptg6M7oO2ze4dr8M9i/mBEHM0JaUGonYHaYBbx iSnPdS4TTeo2Y/fV9FQvmynHUPYcu3WUA7LokgebUdrhnnCOwCodVtOKwfKfdFQCt6MHWryhd23 4qcN2qzgSsw073j6Faq2Jrz7MewYbkExvgZOpJFrmbOXPLn5+5stG+QyStHyQTnGvcPL7oIOWig M4vBXOHeUomSMZukiTa5hlHoKSsF1qWd5tdCNv/heK98ymSSD8IqY7qmzXufC/QifxOqMdbpG0Q v3xHgiymMtl6BYSAb2K76674ZDwnaPdPr6SvTXfwU53V0j5pA== X-Received: by 2002:a05:7300:640b:b0:2b7:32fe:4bbb with SMTP id 5a478bee46e88-2bde1baf2a6mr6818307eec.11.1772557244293; Tue, 03 Mar 2026 09:00:44 -0800 (PST) Received: from daehojeong-desktop.mtv.corp.google.com ([2a00:79e0:2e7c:8:a185:fc9c:2709:6bc]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2be002ee839sm8867931eec.8.2026.03.03.09.00.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Mar 2026 09:00:43 -0800 (PST) From: Daeho Jeong To: linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, kernel-team@android.com Cc: Daeho Jeong , Maxim Pleshivenkov Subject: [PATCH] f2fs-tools: fix heap-buffer-overflow of reading SSA from checkpoint area Date: Tue, 3 Mar 2026 09:00:36 -0800 Message-ID: <20260303170036.2242819-1-daeho43@gmail.com> X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Daeho Jeong Reproduction: truncate -s 512M overflow.img ./out/host/linux-x86/bin/make_f2fs -g android -b 16384 -w 16384 -O packed_s= sa overflow.img mkdir -p empty_dir export ASAN_OPTIONS=3Ddetect_leaks=3D0:abort_on_error=3D1 ./out/host/linux-x86/bin/sload_f2fs -f empty_dir -t /data overflow.img Result: =3D=3D306082=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address = 0x7df5201e2500 at pc 0x5567ea010583 bp 0x7ffc3386c210 sp 0x7ffc3386b9d8 READ of size 16384 at 0x7df5201e2500 thread T0 Even though we can reduce the summary block to 4KB, we need to maintain backward compatibility for the checkpoint area. Therefore, the summary block there must match the block size, so it is correct to use F2FS_BLKSIZE. Fixes: ad1357c34023 ("f2fs-tools: revert summary entry count from 2048 to 5= 12 in 16kb block support") Reported-by: Maxim Pleshivenkov Signed-off-by: Daeho Jeong Reviewed-by: Chao Yu --- fsck/mount.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fsck/mount.c b/fsck/mount.c index 6f640a0..fdf3f02 100644 --- a/fsck/mount.c +++ b/fsck/mount.c @@ -2249,7 +2249,7 @@ static int build_curseg(struct f2fs_sb_info *sbi) SM_I(sbi)->curseg_array =3D array; =20 for (i =3D 0; i < NR_CURSEG_TYPE; i++) { - array[i].sum_blk =3D calloc(F2FS_SUM_BLKSIZE, 1); + array[i].sum_blk =3D calloc(F2FS_BLKSIZE, 1); if (!array[i].sum_blk) { MSG(1, "\tError: Calloc failed for build_curseg!!\n"); goto seg_cleanup; --=20 2.53.0.473.g4a7958ca14-goog