Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2514456imm;
        Thu, 7 Jun 2018 11:58:15 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKxM6/jJmY0xpQUFg/pttzYWJS6BsUEwgmpgEQ8QzWZkCx/s40HRQpIxIdp5Ep3HWh0P0Wv
X-Received: by 2002:a62:3745:: with SMTP id e66-v6mr2845105pfa.43.1528397895126;
        Thu, 07 Jun 2018 11:58:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528397895; cv=none;
        d=google.com; s=arc-20160816;
        b=hXJnJOmFPzzRE23RtWokaK9a+8AwUetbdElCZWTi893fyydVTEAXJk75e+LLKxyZtp
         GmN9ly0fY8kMc6r7HaIcoD2AFFR/HdHvtZMCr3cM7uQLVtaHS7jPAgXUXLkUyq0u36R4
         1mOnlhwXNIn84zQCcYfSEShZXRDspPufkcb0pDpYhqj6CfsUsyJNiy2n7p1EARKFX67n
         2YBHooEQ7v24mlE+ip81nIqXghCysr6R/8rdwhYWFoRDUJxXNEgvNxDqEEprMAPFYm7h
         7siURWxRT7PQtO3Qu5ekNGcgA+4UYVESmol4o/SC2qyRqnuTlJKkFsci1nXTs+Z1nqGc
         Yr6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=dZwDEy3L4b47UrZs/gFNeSJKoCdpMuHLu/cfHFDjpz0=;
        b=jNHckKu/E32vYUuQT7B6t7KHkfp2b+Z+/XqfTQb/CWDrzQakMmTUxkMoQmdb2ThxGV
         Z5PgkGvk3MFzVnJt32Q6TH2Yh6uDlE3aA8HExQXcfcNEMnoxHMas4qvuU37wVozMfQx3
         FM9Zq3EGp8IMYuGZXQk/9cFptpmgKuFNmPvoYh+uy3XXjglOxxfVGdFDgDVyfTOROuA2
         +wvLL9wpMC4OBSwcFXIBKFz3/z/ev6ut0Ydm/HKhNtLOvvESJJ1jMww4FO4nbFcbjAJl
         AVHGTMpJLZki4PFwEIFwpoJOy+iyaCn2BtHmRQZvEEwDYrcouIlBxoddIJ5vCQ233ls+
         bRXg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 90-v6si20859865pla.38.2018.06.07.11.58.00;
        Thu, 07 Jun 2018 11:58:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934777AbeFGQOr (ORCPT <rfc822;chenhe.dev@gmail.com> + 99 others);
        Thu, 7 Jun 2018 12:14:47 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39120 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932925AbeFGOI6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Jun 2018 10:08:58 -0400
Received: from [148.252.241.226] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvay-0005a0-Kc; Thu, 07 Jun 2018 15:08:56 +0100
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvax-0002hS-Kg; Thu, 07 Jun 2018 15:08:55 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, "Theodore Ts'o" <tytso@mit.edu>,
        "Wen Xu" <wen.xu@gatech.edu>
Date:   Thu, 07 Jun 2018 15:05:21 +0100
Message-ID: <lsq.1528380321.743043835@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 018/410] ext4: fail ext4_iget for root directory if
 unallocated
In-Reply-To: <lsq.1528380320.647747352@decadent.org.uk>
X-SA-Exim-Connect-IP: 148.252.241.226
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.57-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream.

If the root directory has an i_links_count of zero, then when the file
system is mounted, then when ext4_fill_super() notices the problem and
tries to call iput() the root directory in the error return path,
ext4_evict_inode() will try to free the inode on disk, before all of
the file system structures are set up, and this will result in an OOPS
caused by a NULL pointer dereference.

This issue has been assigned CVE-2018-1092.

https://bugzilla.kernel.org/show_bug.cgi?id=199179
https://bugzilla.redhat.com/show_bug.cgi?id=1560777

Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: use EIO instead of EFSCORRUPTED]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4198,6 +4198,12 @@ struct inode *ext4_iget(struct super_blo
 		goto bad_inode;
 	raw_inode = ext4_raw_inode(&iloc);
 
+	if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+		EXT4_ERROR_INODE(inode, "root inode unallocated");
+		ret = -EIO;
+		goto bad_inode;
+	}
+
 	if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
 		ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
 		if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >