Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2009606imm; Tue, 10 Jul 2018 11:31:43 -0700 (PDT) X-Google-Smtp-Source: AAOMgpc+uspZSCCK7mBHP4KLBZLPkrXXEB6/+38BQVG2NhONoIU0HhCo1LeHRTxIqgWY+se7+5Wv X-Received: by 2002:a17:902:760d:: with SMTP id k13-v6mr1878423pll.56.1531247503350; Tue, 10 Jul 2018 11:31:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531247503; cv=none; d=google.com; s=arc-20160816; b=od7w7UcqEe2G2gi+7fgSvAYtnhhfIMsXwlX7TUkqvuFRZroG06xH9ESmSHM+BmtsUP DUsax022vvY2wGxfMyFnWJH+0KXB5UfPbKcHwLxS3rjNY3DMefLBugzmHstKVPWV/uPq 9hu/PvL745Wa+8m19l/MhZ+NwYVBzfVBAVrdURgpZw71TcFYid4mngAlihWdijAnoO9c xqLQbv8prchLEDvKt3+6PcfeC8CfinZyOYzO466Qw6m7umsPHHEEBkJQG6rRW+LWTUD2 cFNBYrpDhJjY2q7kycPbW4gfdGjaS5v/mYCjsF2xJJkgf93xiDuqDdoh2LDrPyaTcanx 8Vag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=v9IjRMHAZaPGHS5qE87oX4+psOoeoCwublEHqgUZ6m8=; b=USlXSLQWulHgkRCnjwpEXr0j0i8ssUES/IC6Kn4cReM3xGTtbNnCr7sKkLImTQ9G5K PjklGcdX8wvraGtBpIlM/C3/UxHUyf7XtVSxcuUjgtZskQ7e2KdCpCFdZf4SlpivZkhi OZohJIpDxQtpX3Vnl6vSQVTV+J21hKQ8sq9gsIMfg+hiUTG3kfniQ7wcH8t0U0oG564X +bDuC0W1fhzxDjfbAmtWlygqgpO6vyYT60in6fzs4stLNXOFISVFNjcLN79YZkAEHScm +namjyUeVBIth4+EsUKC2N74QFfsVKsqY8+zJ/3ttlebfk4vimKvFqPvRRBODlhhj7oA fKRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f8-v6si16993997pgf.166.2018.07.10.11.31.28; Tue, 10 Jul 2018 11:31:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388053AbeGJSa0 (ORCPT + 99 others); Tue, 10 Jul 2018 14:30:26 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:45566 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388035AbeGJSaZ (ORCPT ); Tue, 10 Jul 2018 14:30:25 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A87AAEC6; Tue, 10 Jul 2018 18:30:13 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , stable@kernel.org Subject: [PATCH 4.9 29/52] ext4: only look at the bg_flags field if it is valid Date: Tue, 10 Jul 2018 20:24:57 +0200 Message-Id: <20180710182452.105166979@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180710182449.285532226@linuxfoundation.org> References: <20180710182449.285532226@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 8844618d8aa7a9973e7b527d038a2a589665002c upstream. The bg_flags field in the block group descripts is only valid if the uninit_bg or metadata_csum feature is enabled. We were not consistently looking at this field; fix this. Also block group #0 must never have uninitialized allocation bitmaps, or need to be zeroed, since that's where the root inode, and other special inodes are set up. Check for these conditions and mark the file system as corrupted if they are detected. This addresses CVE-2018-10876. https://bugzilla.kernel.org/show_bug.cgi?id=199403 Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/balloc.c | 11 ++++++++++- fs/ext4/ialloc.c | 14 ++++++++++++-- fs/ext4/mballoc.c | 6 ++++-- fs/ext4/super.c | 11 ++++++++++- 4 files changed, 36 insertions(+), 6 deletions(-) --- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c @@ -450,7 +450,16 @@ ext4_read_block_bitmap_nowait(struct sup goto verify; } ext4_lock_group(sb, block_group); - if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { + if (ext4_has_group_desc_csum(sb) && + (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + if (block_group == 0) { + ext4_unlock_group(sb, block_group); + unlock_buffer(bh); + ext4_error(sb, "Block bitmap for bg 0 marked " + "uninitialized"); + err = -EFSCORRUPTED; + goto out; + } err = ext4_init_block_bitmap(sb, bh, block_group, desc); set_bitmap_uptodate(bh); set_buffer_uptodate(bh); --- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c @@ -152,7 +152,16 @@ ext4_read_inode_bitmap(struct super_bloc } ext4_lock_group(sb, block_group); - if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { + if (ext4_has_group_desc_csum(sb) && + (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { + if (block_group == 0) { + ext4_unlock_group(sb, block_group); + unlock_buffer(bh); + ext4_error(sb, "Inode bitmap for bg 0 marked " + "uninitialized"); + err = -EFSCORRUPTED; + goto out; + } memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8, bh->b_data); @@ -926,7 +935,8 @@ got: /* recheck and clear flag under lock if we still need to */ ext4_lock_group(sb, group); - if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { + if (ext4_has_group_desc_csum(sb) && + (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); ext4_free_group_clusters_set(sb, gdp, ext4_free_clusters_after_init(sb, group, gdp)); --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2444,7 +2444,8 @@ int ext4_mb_add_groupinfo(struct super_b * initialize bb_free to be able to skip * empty groups without initialization */ - if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { + if (ext4_has_group_desc_csum(sb) && + (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { meta_group_info[i]->bb_free = ext4_free_clusters_after_init(sb, group, desc); } else { @@ -2969,7 +2970,8 @@ ext4_mb_mark_diskspace_used(struct ext4_ #endif ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start, ac->ac_b_ex.fe_len); - if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { + if (ext4_has_group_desc_csum(sb) && + (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); ext4_free_group_clusters_set(sb, gdp, ext4_free_clusters_after_init(sb, --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3023,13 +3023,22 @@ static ext4_group_t ext4_has_uninit_itab ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count; struct ext4_group_desc *gdp = NULL; + if (!ext4_has_group_desc_csum(sb)) + return ngroups; + for (group = 0; group < ngroups; group++) { gdp = ext4_get_group_desc(sb, group, NULL); if (!gdp) continue; - if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) + if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) + continue; + if (group != 0) break; + ext4_error(sb, "Inode table for bg 0 marked as " + "needing zeroing"); + if (sb->s_flags & MS_RDONLY) + return ngroups; } return group;