Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp27477imm; Fri, 21 Sep 2018 17:22:14 -0700 (PDT) X-Google-Smtp-Source: ACcGV63kBHMWOeVbx6gIL5yIlIxG1asOAqvNHD+uxZqPp6WV3IfNnd2Qt7O6KkZioMQ5GJIN8bM8 X-Received: by 2002:a17:902:724c:: with SMTP id c12-v6mr109859pll.326.1537575734157; Fri, 21 Sep 2018 17:22:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575734; cv=none; d=google.com; s=arc-20160816; b=KZRFzqJ675sT3PotydtNcxO/D6TWmWK5R1PYWYczJvwD3y3ZdxVfOZpT4h4XZpYFp2 6afUyAUISaG951tplO7ZL+8cpg5Qz246MSmo1bfF95Rj7w+NItw9P093WevVdXw4+wMh l2EjS72MjYqkFt8REUP7iZEf7T0CeXmTrZe0MWL/WG3LdTH7OSQowWSFQrQ8mSCrbstp rYJeXr9t0EOS58uWom1eC6PnGfBY6q11p2+MhljlyRIDjFmgs0rc3skZrOw7zmzZ9dfw 7Vp2YS873xDGAx5rylt+HD3sOzJ8fNTiKxwiBKafYvNxMkk3T3NCKxwevxEye1fsuSyX O1/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=JD2RFUYxEbhQ2exeTXNkQzvDSDkFR7loNzuI1YJz7jA=; b=AH5hV78BM4nCD3882ADY0lSVnh8czB5u5zN43IM3U7mtfEhdRRjIFJyg6xTdTrzMvT Ehq625HurSOiULhAAf+NoIMeophlmN76fVfgG3LXDgabl91Fo36S9GHn8lsnMpUUlSPU eW1SFdpv846ET6B8j6kDWL6/IcS0dPRmlsOYQc83d1VjsZzV++5sSIX3OBBdEW+bbGfZ P3dPHISlalhqrHpGsCJDnqAHvML3L2AytgYq9xtfgwmRukjto9BKXcq5iIwCIQQ8PJep 9+NOllxnQt5sEu9pByw7urAQDd7PJpVgeMKTJd1N8USFjZeosmVHqxS/O+mQW9wh72Co Zvmw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i126-v6si28849712pgd.332.2018.09.21.17.21.58; Fri, 21 Sep 2018 17:22:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392071AbeIVGKt (ORCPT + 99 others); Sat, 22 Sep 2018 02:10:49 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44233 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392007AbeIVGKs (ORCPT ); Sat, 22 Sep 2018 02:10:48 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vdy-0008BV-6k; Sat, 22 Sep 2018 01:19:30 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdo-0000sW-A4; Sat, 22 Sep 2018 01:19:20 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Theodore Ts'o" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 35/63] ext4: add more inode number paranoia checks In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit c37e9e013469521d9adb932d17a1795c139b36db upstream. If there is a directory entry pointing to a system inode (such as a journal inode), complain and declare the file system to be corrupted. Also, if the superblock's first inode number field is too small, refuse to mount the file system. This addresses CVE-2018-10882. https://bugzilla.kernel.org/show_bug.cgi?id=200069 Signed-off-by: Theodore Ts'o [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/ext4/ext4.h | 5 ----- fs/ext4/inode.c | 3 ++- fs/ext4/super.c | 5 +++++ 3 files changed, 7 insertions(+), 6 deletions(-) --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -1422,11 +1422,6 @@ static inline struct timespec ext4_curre static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) { return ino == EXT4_ROOT_INO || - ino == EXT4_USR_QUOTA_INO || - ino == EXT4_GRP_QUOTA_INO || - ino == EXT4_BOOT_LOADER_INO || - ino == EXT4_JOURNAL_INO || - ino == EXT4_RESIZE_INO || (ino >= EXT4_FIRST_INO(sb) && ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); } --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3957,7 +3957,8 @@ static int __ext4_get_inode_loc(struct i int inodes_per_block, inode_offset; iloc->bh = NULL; - if (!ext4_valid_inum(sb, inode->i_ino)) + if (inode->i_ino < EXT4_ROOT_INO || + inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) return -EIO; iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3771,6 +3771,11 @@ static int ext4_fill_super(struct super_ } else { sbi->s_inode_size = le16_to_cpu(es->s_inode_size); sbi->s_first_ino = le32_to_cpu(es->s_first_ino); + if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { + ext4_msg(sb, KERN_ERR, "invalid first ino: %u", + sbi->s_first_ino); + goto failed_mount; + } if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || (!is_power_of_2(sbi->s_inode_size)) || (sbi->s_inode_size > blocksize)) {