Received: by 10.192.165.148 with SMTP id m20csp4198885imm; Mon, 30 Apr 2018 13:41:55 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrN107X2VOd7gNwEbTRFKQ3DSHb/Cjuv4Rt2QF93HEqmnvj+AIhShfCzqvgpoIJVD7R/4px X-Received: by 2002:a63:bd1a:: with SMTP id a26-v6mr11190518pgf.157.1525120915081; Mon, 30 Apr 2018 13:41:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525120915; cv=none; d=google.com; s=arc-20160816; b=pQlPnuUZCRLquxYDfUknuBrO/PqFJO4GRFyQ1TBY2dBBpOVZxRci7xztfmmoGMorwA iAqj+1io+DAMgki2V6gSu+Brolek4UwW9MEsKjVLEFrrwT5oyErCs6ODuj8vfkdKNoDy l30mJw/k8GlLFCd0YDj+J6TYj2xygcj4GL1d60Z2/WyDt+5VfVjuJvyH5TrY7IU4QCQq kbYwpOFUcCJzA15Vf+/KU1AKicHefXN4jb9liHlwAoiiC0Vq3p8X2H/HVUjZmqOT46EB 3jhtfzqqEzZtJ2htZCZls61ZRRq2NGAOFzr3F9tch9EMTyve3MBDr9XaXvqBI57Q7oI/ MH0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter :arc-authentication-results; bh=/KZuBvmDa72KQ5ID4N6xtMKGD2pfqQvS7FaBMWKWLhE=; b=T0+5kHeNR3gN2K9jHdTgE/W6Tca9eKWUaJQvt1tfPwE18lGtbF4GGzC/ae7ZHa840g D/NbIbIo0uu3br/jriMb4PkDkHnkkJU+0Tl1htaD7FaJ/lG3YaACtphqNQTUG/B9i2y7 kRCwoZDcBxClR5xL354xPQuBuVUHWP1bfJ271O39Lix/W3SIbxHopiuYPka9o19W4A/z LFd+IdUuxJI79NJG1IKKOAnYst01P+SrkN7zXrEzbNRogMS/x7rRiXiBvZS4S5SiORSM ZBv2sqp0ZZq4+NSMHwCQo204jDEinI1rxQMxuhXui5ax2WBQx8jlwfQG/uQlWaHM5K+l f+cQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m4-v6si8337570pll.438.2018.04.30.13.41.41; Mon, 30 Apr 2018 13:41:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755418AbeD3Ulb (ORCPT + 99 others); Mon, 30 Apr 2018 16:41:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:57520 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755142AbeD3TX5 (ORCPT ); Mon, 30 Apr 2018 15:23:57 -0400 Received: from localhost (unknown [104.132.1.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4A9DC22DA3; Mon, 30 Apr 2018 19:23:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4A9DC22DA3 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wen Xu , Theodore Tso , Harsh Shandilya Subject: [PATCH 3.18 02/25] ext4: add validity checks for bitmap block numbers Date: Mon, 30 Apr 2018 12:23:09 -0700 Message-Id: <20180430183910.898507174@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180430183910.801976983@linuxfoundation.org> References: <20180430183910.801976983@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. An privileged attacker can cause a crash by mounting a crafted ext4 image which triggers a out-of-bounds read in the function ext4_valid_block_bitmap() in fs/ext4/balloc.c. This issue has been assigned CVE-2018-1093. Backport notes: 3.18.y is missing commit 6a797d273783 ("ext4: call out CRC and corruption errors with specific error codes") so the EFSCORRUPTED label doesn't exist. Replaced all instances of EFSCORRUPTED with EUCLEAN since that's what 6a797d273783 defined it as. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 Reported-by: Wen Xu Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org [harsh@prjkt.io: s/EFSCORRUPTED/EUCLEAN/ fs/ext4/balloc.c] Signed-off-by: Harsh Shandilya Signed-off-by: Greg Kroah-Hartman --- fs/ext4/balloc.c | 16 ++++++++++++++-- fs/ext4/ialloc.c | 8 +++++++- 2 files changed, 21 insertions(+), 3 deletions(-) --- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c @@ -338,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bit /* check whether block bitmap block number is set */ blk = ext4_block_bitmap(sb, desc); offset = blk - group_first_block; - if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || + !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) /* bad block bitmap */ return blk; /* check whether the inode bitmap block number is set */ blk = ext4_inode_bitmap(sb, desc); offset = blk - group_first_block; - if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || + !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) /* bad block bitmap */ return blk; /* check whether the inode table block number is set */ blk = ext4_inode_table(sb, desc); offset = blk - group_first_block; + if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || + EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) + return blk; next_zero_bit = ext4_find_next_zero_bit(bh->b_data, EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), EXT4_B2C(sbi, offset)); @@ -414,6 +419,7 @@ struct buffer_head * ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) { struct ext4_group_desc *desc; + struct ext4_sb_info *sbi = EXT4_SB(sb); struct buffer_head *bh; ext4_fsblk_t bitmap_blk; @@ -421,6 +427,12 @@ ext4_read_block_bitmap_nowait(struct sup if (!desc) return NULL; bitmap_blk = ext4_block_bitmap(sb, desc); + if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || + (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { + ext4_error(sb, "Invalid block bitmap block %llu in " + "block_group %u", bitmap_blk, block_group); + return ERR_PTR(-EUCLEAN); + } bh = sb_getblk(sb, bitmap_blk); if (unlikely(!bh)) { ext4_error(sb, "Cannot get buffer for block bitmap - " --- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c @@ -84,16 +84,22 @@ static struct buffer_head * ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) { struct ext4_group_desc *desc; + struct ext4_sb_info *sbi = EXT4_SB(sb); struct buffer_head *bh = NULL; ext4_fsblk_t bitmap_blk; struct ext4_group_info *grp; - struct ext4_sb_info *sbi = EXT4_SB(sb); desc = ext4_get_group_desc(sb, block_group, NULL); if (!desc) return NULL; bitmap_blk = ext4_inode_bitmap(sb, desc); + if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || + (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { + ext4_error(sb, "Invalid inode bitmap blk %llu in " + "block_group %u", bitmap_blk, block_group); + return ERR_PTR(-EUCLEAN); + } bh = sb_getblk(sb, bitmap_blk); if (unlikely(!bh)) { ext4_error(sb, "Cannot read inode bitmap - "