Received: by 10.192.165.148 with SMTP id m20csp2767162imm; Sun, 22 Apr 2018 14:57:22 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/HfD393AvUIpoAlPKNKNW9SGXEw6yDbx3/tLE3rxogRvflyzzOIYm6C7ONjXrrAVuhx3xY X-Received: by 2002:a17:902:d685:: with SMTP id v5-v6mr18277822ply.284.1524434242167; Sun, 22 Apr 2018 14:57:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524434242; cv=none; d=google.com; s=arc-20160816; b=cqGSwlVBUgll2OKvYEdcSA6dabR5/OK5kvkx25Q7wTLyAkzxvMhhexQCPExdhRKOLN f6EZ2qzA6LD4+O9aTDZ0MazV68q8PWvVFWSBccfZR65q63t4NfYGEQMEL3RnT5PEMsq8 FJRZJA7IbL9c7IKfs2UrzIAjmDAP3j8sPbmg5TXLPgpTalxkEJNxXQG8yvH90L3UvrVb Bl4ez6Xf8gqGX2a2L8J96PprmlUPrbd+5xcpfV8HePSZmjwAnkUvx9lGuEeN9oGdBJBn 1eAZPbKLH4yY6n0ICwDeEMLxzxGjIDXeoR05fZQXznSd4kOVibhEwmB1axMrVhil+N5N EtKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to:date :cc:to:from:subject:message-id:arc-authentication-results; bh=8zZ8mfdSdYLAEE06ulqj7b2cHbn5pbSGkOskOuHog+M=; b=Nq77SZSoEpoXyxlotf+gDDyzLac1sk9liHOZQlcqxpCnSEEfrEuE45vg6U8k0YMX/f MBeKUjvCyr0rSe+0KMLDfNw0Vfe18w88IXETW+uwJ/fZvTc1/kuvg45PZfPJOlVJm4Ij dHHNu8cV8hfn6QVZlRlFYzkl3MReCUgdheFqZPz4vGv8sR7+Xx+YqksJUJE1gZ2GKMI8 pve50aCHUpAehqXMNlVGszFiBi+iPkHcGcRYK2CFejlW2viCtFaWwnR80oTDnaUET+QM 1YtnYKaTcdTgWF6xiEPbnngCIxHvw9rlXxpQogm2DNESgglyhNMfllhllnZKvD3LFgQX 7Mhw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w9si9927197pfl.268.2018.04.22.14.57.07; Sun, 22 Apr 2018 14:57:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753814AbeDVVyo (ORCPT + 99 others); Sun, 22 Apr 2018 17:54:44 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:45451 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753763AbeDVVyn (ORCPT ); Sun, 22 Apr 2018 17:54:43 -0400 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fAMwQ-0004IF-6u; Sun, 22 Apr 2018 22:54:38 +0100 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1fAMwL-0001jQ-1n; Sun, 22 Apr 2018 22:54:33 +0100 Message-ID: <30c688b5783a5779811ce68893b7001390b9e200.camel@decadent.org.uk> Subject: Re: [PATCH 4.9 37/95] ext4: add validity checks for bitmap block numbers From: Ben Hutchings To: Theodore Tso Cc: stable@vger.kernel.org, Wen Xu , Greg Kroah-Hartman , linux-kernel@vger.kernel.org Date: Sun, 22 Apr 2018 22:54:23 +0100 In-Reply-To: <20180422135211.941652389@linuxfoundation.org> References: <20180422135210.432103639@linuxfoundation.org> <20180422135211.941652389@linuxfoundation.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-tTaGDR+1NBH26+EczC03" X-Mailer: Evolution 3.28.1-2 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-tTaGDR+1NBH26+EczC03 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2018-04-22 at 15:53 +0200, Greg Kroah-Hartman wrote: > 4.9-stable review patch. If anyone has any objections, please let me kno= w. >=20 > ------------------ >=20 > From: Theodore Ts'o >=20 > commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. >=20 > An privileged attacker can cause a crash by mounting a crafted ext4 > image which triggers a out-of-bounds read in the function > ext4_valid_block_bitmap() in fs/ext4/balloc.c. >=20 > This issue has been assigned CVE-2018-1093. >=20 > BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=3D199181 > BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1560782 > Reported-by: Wen Xu > Signed-off-by: Theodore Ts'o > Cc: stable@vger.kernel.org > Signed-off-by: Greg Kroah-Hartman >=20 > --- > fs/ext4/balloc.c | 16 ++++++++++++++-- > fs/ext4/ialloc.c | 7 +++++++ > 2 files changed, 21 insertions(+), 2 deletions(-) >=20 > --- a/fs/ext4/balloc.c > +++ b/fs/ext4/balloc.c > @@ -337,20 +337,25 @@ static ext4_fsblk_t ext4_valid_block_bit > /* check whether block bitmap block number is set */ > blk =3D ext4_block_bitmap(sb, desc); > offset =3D blk - group_first_block; > - if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) > + if (offset < 0 || EXT4_B2C(sbi, offset) >=3D sb->s_blocksize || > + !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) Isn't sb->s_blocksize a count of bytes? If so, doesn't that mean that we should be comparing with sb->s_blocksize * 8? Ben. > /* bad block bitmap */ > return blk; > =20 > /* check whether the inode bitmap block number is set */ > blk =3D ext4_inode_bitmap(sb, desc); > offset =3D blk - group_first_block; > - if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) > + if (offset < 0 || EXT4_B2C(sbi, offset) >=3D sb->s_blocksize || > + !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) > /* bad block bitmap */ > return blk; > =20 > /* check whether the inode table block number is set */ > blk =3D ext4_inode_table(sb, desc); > offset =3D blk - group_first_block; > + if (offset < 0 || EXT4_B2C(sbi, offset) >=3D sb->s_blocksize || > + EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >=3D sb->s_blocksize) > + return blk; > next_zero_bit =3D ext4_find_next_zero_bit(bh->b_data, > EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), > EXT4_B2C(sbi, offset)); > @@ -416,6 +421,7 @@ struct buffer_head * > ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block= _group) > { > struct ext4_group_desc *desc; > + struct ext4_sb_info *sbi =3D EXT4_SB(sb); > struct buffer_head *bh; > ext4_fsblk_t bitmap_blk; > int err; > @@ -424,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct sup > if (!desc) > return ERR_PTR(-EFSCORRUPTED); > bitmap_blk =3D ext4_block_bitmap(sb, desc); > + if ((bitmap_blk <=3D le32_to_cpu(sbi->s_es->s_first_data_block)) || > + (bitmap_blk >=3D ext4_blocks_count(sbi->s_es))) { > + ext4_error(sb, "Invalid block bitmap block %llu in " > + "block_group %u", bitmap_blk, block_group); > + return ERR_PTR(-EFSCORRUPTED); > + } > bh =3D sb_getblk(sb, bitmap_blk); > if (unlikely(!bh)) { > ext4_error(sb, "Cannot get buffer for block bitmap - " > --- a/fs/ext4/ialloc.c > +++ b/fs/ext4/ialloc.c > @@ -119,6 +119,7 @@ static struct buffer_head * > ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) > { > struct ext4_group_desc *desc; > + struct ext4_sb_info *sbi =3D EXT4_SB(sb); > struct buffer_head *bh =3D NULL; > ext4_fsblk_t bitmap_blk; > int err; > @@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_bloc > return ERR_PTR(-EFSCORRUPTED); > =20 > bitmap_blk =3D ext4_inode_bitmap(sb, desc); > + if ((bitmap_blk <=3D le32_to_cpu(sbi->s_es->s_first_data_block)) || > + (bitmap_blk >=3D ext4_blocks_count(sbi->s_es))) { > + ext4_error(sb, "Invalid inode bitmap blk %llu in " > + "block_group %u", bitmap_blk, block_group); > + return ERR_PTR(-EFSCORRUPTED); > + } > bh =3D sb_getblk(sb, bitmap_blk); > if (unlikely(!bh)) { > ext4_error(sb, "Cannot read inode bitmap - " >=20 >=20 --=20 Ben Hutchings It is easier to write an incorrect program than to understand a correct one. --=-tTaGDR+1NBH26+EczC03 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlrdBI8ACgkQ57/I7JWG EQkTnw/+IOk4m59TAT0FvTi4EUhRy/kbdAhPNR2C0Nxa7/T4BYdm9qD+XY/het4p Yo1FJOI0AZ22jmkcGpxjaENalIEECIr8wciYom081PUB6/k1EvLcEJkAdhDrVmKY eulX4jb39nYfVNFpja3TgZ/2Cp5bxk3O47fUT97r4h63lhbQXqDN+WVIowLIHCTX wOicovDODOM4VvyF0iQ4d5NpImLa/1LFUKKRR9Be4q8DgSc+wjMfQO8h8FUfPMbl vlwbeCZOXWZeVyQ0qE0anuuT3jB1VPkAdo9wUy7y3JFeCvkzJYJ77/NierAEh3eV /XX9LZmwWXtBU0OV2MDZJpbMpCbcAKu8df+e1LFfa/x2HFYQTRS2MnCiUviCAFd3 VyUnzlkhwvKXVoCpsWumnt+6BfzSirIYskk6JJfl5yjtM+MLyrAc5o3qlnssqKDy cocZ/Aq01K9X1lVGhcWfm2V4qLkrBxQFFe1MPBNRid2NSNByWR6BqQoXDmdakelf JlMfoNNrcCqLX0CGZbbl83cpIMVkzUduNgwq93yKWD++Q0qiUBb8NAR3U2f2KGob X61iwI4KgazwKNcvMjiO9d7bgs1+E4t7lBa2eHaOa7QPw0W0WRABvMPagiXVRrkX RB75GQiXOjTeOHCl5rsu4ticG5Imkk+5k4I8pM+ZBLb97qhvyHk= =EwUi -----END PGP SIGNATURE----- --=-tTaGDR+1NBH26+EczC03--