Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp27898imm;
        Fri, 21 Sep 2018 17:22:52 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63QL+ECXPdEP4WdzKCRD/ziHMZOCfKOoE9ZsNioLq71Hxm4YWZZwa6CYa0H10HBgEn7zbVy
X-Received: by 2002:a63:d09:: with SMTP id c9-v6mr127848pgl.314.1537575772068;
        Fri, 21 Sep 2018 17:22:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537575772; cv=none;
        d=google.com; s=arc-20160816;
        b=qN4JYiJWc1/lsBg+EaaWuvQBiijYPJG60uKP9cHSdoD8E0/mhTf9rKuPsKKN75WzEE
         6yJiWyxfq8c8SwWNn6t/rgxWi4oQ4Q8XBnAFNqKcvsrNoia9f1OvzARDtgjhuM3Smnu0
         Tim5z/AfaVevlqThkeEqGr3qE5oXtaGzBKbyEwEfL4rjgd9Nxv2dXtscF2lFXBrjN9RG
         wUjAnLGrNj9B67JdMlHlmx94dOKGD8dKyNTNiymWaOXUzJaIc8S5pd8Pov5ZoPR0FUU/
         mVMRiMIrg8VdjqAQeHfbz4Ae1mfyr/WL9daSeyiKHHldDcsbDpwOo5Nri1M7tv77viWw
         w2pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=sAajLPj/As/qAiasHzmKmMHlW4ZSOyjFLUQHI0F1hm0=;
        b=YlrQyaEwuHA/xfEiYIpMs9TicXYJbSpuaU5F9O3QQeByYCDHChp6fCfWHxv5+mWJBQ
         ZjziHb0yFdhzhGN495eaJ2poxubYEQzZ74emM8LP3LijVWJX6hHXXFdc0qccjN+Qc7UP
         Bm0MrrsYiHNSw24xjMPpL7u2N5uQm774P18NwNHe7AwnkSn36c1C10AT9IVRuuJYrQ95
         bbH1FliZHOr8Kqd8RshDpICELm0Z20q1inRJ6j7+9/zcIwYQ7+Opza+7TdzU6U/m6Mll
         ECt73kmUdkVUvqcpsigvugkg3CeBXsGxUmgYcaCviw9k9pb/IWEkN1/cG8isMkDaac1t
         kYBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k15-v6si28243050pgi.62.2018.09.21.17.22.36;
        Fri, 21 Sep 2018 17:22:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392041AbeIVGKs (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Sat, 22 Sep 2018 02:10:48 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44231 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S2391930AbeIVGKs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 22 Sep 2018 02:10:48 -0400
Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1g3Vdy-0008Ba-3t; Sat, 22 Sep 2018 01:19:30 +0100
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1g3Vdn-0000rm-VC; Sat, 22 Sep 2018 01:19:19 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, "Theodore Ts'o" <tytso@mit.edu>
Date:   Sat, 22 Sep 2018 01:15:42 +0100
Message-ID: <lsq.1537575342.183237158@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 26/63] ext4: verify the depth of extent tree in
 ext4_find_extent()
In-Reply-To: <lsq.1537575341.194909669@decadent.org.uk>
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.58-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit bc890a60247171294acc0bd67d211fa4b88d40ba upstream.

If there is a corupted file system where the claimed depth of the
extent tree is -1, this can cause a massive buffer overrun leading to
sadness.

This addresses CVE-2018-10877.

https://bugzilla.kernel.org/show_bug.cgi?id=199417

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: return -EIO instead of -EFSCORRUPTED]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/ext4_extents.h | 1 +
 fs/ext4/extents.c      | 6 ++++++
 2 files changed, 7 insertions(+)

--- a/fs/ext4/ext4_extents.h
+++ b/fs/ext4/ext4_extents.h
@@ -103,6 +103,7 @@ struct ext4_extent_header {
 };
 
 #define EXT4_EXT_MAGIC		cpu_to_le16(0xf30a)
+#define EXT4_MAX_EXTENT_DEPTH 5
 
 #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
 	(sizeof(struct ext4_extent_header) + \
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -851,6 +851,12 @@ ext4_ext_find_extent(struct inode *inode
 
 	eh = ext_inode_hdr(inode);
 	depth = ext_depth(inode);
+	if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
+		EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
+				 depth);
+		ret = -EIO;
+		goto err;
+	}
 
 	/* account possible depth increase */
 	if (!path) {