Received: by 10.192.165.148 with SMTP id m20csp2767162imm;
        Sun, 22 Apr 2018 14:57:22 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/HfD393AvUIpoAlPKNKNW9SGXEw6yDbx3/tLE3rxogRvflyzzOIYm6C7ONjXrrAVuhx3xY
X-Received: by 2002:a17:902:d685:: with SMTP id v5-v6mr18277822ply.284.1524434242167;
        Sun, 22 Apr 2018 14:57:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524434242; cv=none;
        d=google.com; s=arc-20160816;
        b=cqGSwlVBUgll2OKvYEdcSA6dabR5/OK5kvkx25Q7wTLyAkzxvMhhexQCPExdhRKOLN
         f6EZ2qzA6LD4+O9aTDZ0MazV68q8PWvVFWSBccfZR65q63t4NfYGEQMEL3RnT5PEMsq8
         FJRZJA7IbL9c7IKfs2UrzIAjmDAP3j8sPbmg5TXLPgpTalxkEJNxXQG8yvH90L3UvrVb
         Bl4ez6Xf8gqGX2a2L8J96PprmlUPrbd+5xcpfV8HePSZmjwAnkUvx9lGuEeN9oGdBJBn
         1eAZPbKLH4yY6n0ICwDeEMLxzxGjIDXeoR05fZQXznSd4kOVibhEwmB1axMrVhil+N5N
         EtKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:references:in-reply-to:date
         :cc:to:from:subject:message-id:arc-authentication-results;
        bh=8zZ8mfdSdYLAEE06ulqj7b2cHbn5pbSGkOskOuHog+M=;
        b=Nq77SZSoEpoXyxlotf+gDDyzLac1sk9liHOZQlcqxpCnSEEfrEuE45vg6U8k0YMX/f
         MBeKUjvCyr0rSe+0KMLDfNw0Vfe18w88IXETW+uwJ/fZvTc1/kuvg45PZfPJOlVJm4Ij
         dHHNu8cV8hfn6QVZlRlFYzkl3MReCUgdheFqZPz4vGv8sR7+Xx+YqksJUJE1gZ2GKMI8
         pve50aCHUpAehqXMNlVGszFiBi+iPkHcGcRYK2CFejlW2viCtFaWwnR80oTDnaUET+QM
         1YtnYKaTcdTgWF6xiEPbnngCIxHvw9rlXxpQogm2DNESgglyhNMfllhllnZKvD3LFgQX
         7Mhw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w9si9927197pfl.268.2018.04.22.14.57.07;
        Sun, 22 Apr 2018 14:57:22 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753814AbeDVVyo (ORCPT <rfc822;lunatang2017@gmail.com>
        + 99 others); Sun, 22 Apr 2018 17:54:44 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:45451 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1753763AbeDVVyn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 22 Apr 2018 17:54:43 -0400
Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1fAMwQ-0004IF-6u; Sun, 22 Apr 2018 22:54:38 +0100
Received: from ben by deadeye with local (Exim 4.90_1)
        (envelope-from <ben@decadent.org.uk>)
        id 1fAMwL-0001jQ-1n; Sun, 22 Apr 2018 22:54:33 +0100
Message-ID: <30c688b5783a5779811ce68893b7001390b9e200.camel@decadent.org.uk>
Subject: Re: [PATCH 4.9 37/95] ext4: add validity checks for bitmap block
 numbers
From:   Ben Hutchings <ben@decadent.org.uk>
To:     Theodore Tso <tytso@mit.edu>
Cc:     stable@vger.kernel.org, Wen Xu <wen.xu@gatech.edu>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org
Date:   Sun, 22 Apr 2018 22:54:23 +0100
In-Reply-To: <20180422135211.941652389@linuxfoundation.org>
References: <20180422135210.432103639@linuxfoundation.org>
         <20180422135211.941652389@linuxfoundation.org>
Content-Type: multipart/signed; micalg="pgp-sha512";
        protocol="application/pgp-signature"; boundary="=-tTaGDR+1NBH26+EczC03"
X-Mailer: Evolution 3.28.1-2 
Mime-Version: 1.0
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--=-tTaGDR+1NBH26+EczC03
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, 2018-04-22 at 15:53 +0200, Greg Kroah-Hartman wrote:
> 4.9-stable review patch.  If anyone has any objections, please let me kno=
w.
>=20
> ------------------
>=20
> From: Theodore Ts'o <tytso@mit.edu>
>=20
> commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream.
>=20
> An privileged attacker can cause a crash by mounting a crafted ext4
> image which triggers a out-of-bounds read in the function
> ext4_valid_block_bitmap() in fs/ext4/balloc.c.
>=20
> This issue has been assigned CVE-2018-1093.
>=20
> BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=3D199181
> BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1560782
> Reported-by: Wen Xu <wen.xu@gatech.edu>
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> Cc: stable@vger.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>=20
> ---
>  fs/ext4/balloc.c |   16 ++++++++++++++--
>  fs/ext4/ialloc.c |    7 +++++++
>  2 files changed, 21 insertions(+), 2 deletions(-)
>=20
> --- a/fs/ext4/balloc.c
> +++ b/fs/ext4/balloc.c
> @@ -337,20 +337,25 @@ static ext4_fsblk_t ext4_valid_block_bit
>  	/* check whether block bitmap block number is set */
>  	blk =3D ext4_block_bitmap(sb, desc);
>  	offset =3D blk - group_first_block;
> -	if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
> +	if (offset < 0 || EXT4_B2C(sbi, offset) >=3D sb->s_blocksize ||
> +	    !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))

Isn't sb->s_blocksize a count of bytes?  If so, doesn't that mean that
we should be comparing with sb->s_blocksize * 8?

Ben.

>  		/* bad block bitmap */
>  		return blk;
> =20
>  	/* check whether the inode bitmap block number is set */
>  	blk =3D ext4_inode_bitmap(sb, desc);
>  	offset =3D blk - group_first_block;
> -	if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
> +	if (offset < 0 || EXT4_B2C(sbi, offset) >=3D sb->s_blocksize ||
> +	    !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
>  		/* bad block bitmap */
>  		return blk;
> =20
>  	/* check whether the inode table block number is set */
>  	blk =3D ext4_inode_table(sb, desc);
>  	offset =3D blk - group_first_block;
> +	if (offset < 0 || EXT4_B2C(sbi, offset) >=3D sb->s_blocksize ||
> +	    EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >=3D sb->s_blocksize)
> +		return blk;
>  	next_zero_bit =3D ext4_find_next_zero_bit(bh->b_data,
>  			EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
>  			EXT4_B2C(sbi, offset));
> @@ -416,6 +421,7 @@ struct buffer_head *
>  ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block=
_group)
>  {
>  	struct ext4_group_desc *desc;
> +	struct ext4_sb_info *sbi =3D EXT4_SB(sb);
>  	struct buffer_head *bh;
>  	ext4_fsblk_t bitmap_blk;
>  	int err;
> @@ -424,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct sup
>  	if (!desc)
>  		return ERR_PTR(-EFSCORRUPTED);
>  	bitmap_blk =3D ext4_block_bitmap(sb, desc);
> +	if ((bitmap_blk <=3D le32_to_cpu(sbi->s_es->s_first_data_block)) ||
> +	    (bitmap_blk >=3D ext4_blocks_count(sbi->s_es))) {
> +		ext4_error(sb, "Invalid block bitmap block %llu in "
> +			   "block_group %u", bitmap_blk, block_group);
> +		return ERR_PTR(-EFSCORRUPTED);
> +	}
>  	bh =3D sb_getblk(sb, bitmap_blk);
>  	if (unlikely(!bh)) {
>  		ext4_error(sb, "Cannot get buffer for block bitmap - "
> --- a/fs/ext4/ialloc.c
> +++ b/fs/ext4/ialloc.c
> @@ -119,6 +119,7 @@ static struct buffer_head *
>  ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
>  {
>  	struct ext4_group_desc *desc;
> +	struct ext4_sb_info *sbi =3D EXT4_SB(sb);
>  	struct buffer_head *bh =3D NULL;
>  	ext4_fsblk_t bitmap_blk;
>  	int err;
> @@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_bloc
>  		return ERR_PTR(-EFSCORRUPTED);
> =20
>  	bitmap_blk =3D ext4_inode_bitmap(sb, desc);
> +	if ((bitmap_blk <=3D le32_to_cpu(sbi->s_es->s_first_data_block)) ||
> +	    (bitmap_blk >=3D ext4_blocks_count(sbi->s_es))) {
> +		ext4_error(sb, "Invalid inode bitmap blk %llu in "
> +			   "block_group %u", bitmap_blk, block_group);
> +		return ERR_PTR(-EFSCORRUPTED);
> +	}
>  	bh =3D sb_getblk(sb, bitmap_blk);
>  	if (unlikely(!bh)) {
>  		ext4_error(sb, "Cannot read inode bitmap - "
>=20
>=20
--=20
Ben Hutchings
It is easier to write an incorrect program
than to understand a correct one.


--=-tTaGDR+1NBH26+EczC03
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlrdBI8ACgkQ57/I7JWG
EQkTnw/+IOk4m59TAT0FvTi4EUhRy/kbdAhPNR2C0Nxa7/T4BYdm9qD+XY/het4p
Yo1FJOI0AZ22jmkcGpxjaENalIEECIr8wciYom081PUB6/k1EvLcEJkAdhDrVmKY
eulX4jb39nYfVNFpja3TgZ/2Cp5bxk3O47fUT97r4h63lhbQXqDN+WVIowLIHCTX
wOicovDODOM4VvyF0iQ4d5NpImLa/1LFUKKRR9Be4q8DgSc+wjMfQO8h8FUfPMbl
vlwbeCZOXWZeVyQ0qE0anuuT3jB1VPkAdo9wUy7y3JFeCvkzJYJ77/NierAEh3eV
/XX9LZmwWXtBU0OV2MDZJpbMpCbcAKu8df+e1LFfa/x2HFYQTRS2MnCiUviCAFd3
VyUnzlkhwvKXVoCpsWumnt+6BfzSirIYskk6JJfl5yjtM+MLyrAc5o3qlnssqKDy
cocZ/Aq01K9X1lVGhcWfm2V4qLkrBxQFFe1MPBNRid2NSNByWR6BqQoXDmdakelf
JlMfoNNrcCqLX0CGZbbl83cpIMVkzUduNgwq93yKWD++Q0qiUBb8NAR3U2f2KGob
X61iwI4KgazwKNcvMjiO9d7bgs1+E4t7lBa2eHaOa7QPw0W0WRABvMPagiXVRrkX
RB75GQiXOjTeOHCl5rsu4ticG5Imkk+5k4I8pM+ZBLb97qhvyHk=
=EwUi
-----END PGP SIGNATURE-----

--=-tTaGDR+1NBH26+EczC03--