Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2010707imm; Tue, 10 Jul 2018 11:32:58 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcVg/QSl2dACN/9XDjyq1yqnMDMYhzYlk+vEF9naIQxkAe5k2X7J6RZFJClLNblZ1sYql8E X-Received: by 2002:a65:53cb:: with SMTP id z11-v6mr23535189pgr.218.1531247578423; Tue, 10 Jul 2018 11:32:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531247578; cv=none; d=google.com; s=arc-20160816; b=glj6JVHP+LsttyGA9DdYH2URPfpXaQTkt2ZIoxaYwUx4cxSrlqW2CEzsi1/hUloFYg ax9SOvVe+vPInw1YGAVOMHDPNhDfI/4VMiIsK0fXiqPh0a81EbZzV4+rpF9rR4DHcfej AGDIxXm1KJ3xdAsHk/EyfSF85TKrNXuhLkZbMiHz3jeIbBEDAlPjXe80izEK/BQKHvcM gNVMwnGqRQndPuET+iPt0dQb5L1hskM9MZi/2cdwRnfB9UId46dLzTt1yTBo5B7pjKMm Oa5/WxTQs6ePDQiz4FHwmJsyGk4G686SWgdJMgx4NFw6xoMGju5RioodwxRJX6qYpHbW G+3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=/r9H1ADe12MabXQAd8ZSr5Gy04Bpko40F13CbUHpKKg=; b=LR0jntAk/HWHeNr1RoeS9CH5cC9koHGfIUddGYMV+7DiwN2toKzhhPYZ70j6XMutOh AZ3g93VBXegNijeijikeNEsg3ZNXOzY+Xr0DeA/VkSo7pBg6Qt0wA73N1b8CUn1FxUsl 6VHIlD5hufOR62EUx48k4Lu/H1lHARhf7MPuOcLJqaOLTV36oUZDRcToiLoWCzh2JOfz HXx/vNwIzuSKCycLRE+Z6pxy5ez79Nlb/AozOOqQrL7gtCLZr2EfN6LWMXZROy45NN5v syeaQYymP2Efx0dwgD96ReF1Y9VoYAmq/gzLsF4rBBoUlkv0Wm6Y6psgSL+LTeRh926R PgQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h9-v6si17036935pgi.502.2018.07.10.11.32.43; Tue, 10 Jul 2018 11:32:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388231AbeGJSa5 (ORCPT + 99 others); Tue, 10 Jul 2018 14:30:57 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:45690 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732400AbeGJSa5 (ORCPT ); Tue, 10 Jul 2018 14:30:57 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 3DB72EC2; Tue, 10 Jul 2018 18:30:45 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , stable@kernel.org Subject: [PATCH 4.9 33/52] ext4: add more inode number paranoia checks Date: Tue, 10 Jul 2018 20:25:01 +0200 Message-Id: <20180710182452.405643904@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180710182449.285532226@linuxfoundation.org> References: <20180710182449.285532226@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit c37e9e013469521d9adb932d17a1795c139b36db upstream. If there is a directory entry pointing to a system inode (such as a journal inode), complain and declare the file system to be corrupted. Also, if the superblock's first inode number field is too small, refuse to mount the file system. This addresses CVE-2018-10882. https://bugzilla.kernel.org/show_bug.cgi?id=200069 Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/ext4.h | 5 ----- fs/ext4/inode.c | 3 ++- fs/ext4/super.c | 5 +++++ 3 files changed, 7 insertions(+), 6 deletions(-) --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -1542,11 +1542,6 @@ static inline struct timespec ext4_curre static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) { return ino == EXT4_ROOT_INO || - ino == EXT4_USR_QUOTA_INO || - ino == EXT4_GRP_QUOTA_INO || - ino == EXT4_BOOT_LOADER_INO || - ino == EXT4_JOURNAL_INO || - ino == EXT4_RESIZE_INO || (ino >= EXT4_FIRST_INO(sb) && ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); } --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4242,7 +4242,8 @@ static int __ext4_get_inode_loc(struct i int inodes_per_block, inode_offset; iloc->bh = NULL; - if (!ext4_valid_inum(sb, inode->i_ino)) + if (inode->i_ino < EXT4_ROOT_INO || + inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) return -EFSCORRUPTED; iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3713,6 +3713,11 @@ static int ext4_fill_super(struct super_ } else { sbi->s_inode_size = le16_to_cpu(es->s_inode_size); sbi->s_first_ino = le32_to_cpu(es->s_first_ino); + if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { + ext4_msg(sb, KERN_ERR, "invalid first ino: %u", + sbi->s_first_ino); + goto failed_mount; + } if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || (!is_power_of_2(sbi->s_inode_size)) || (sbi->s_inode_size > blocksize)) {