Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp84653yba; Mon, 20 May 2019 05:26:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqxqs/zV5kibYzC1i/SA77vEAFDVUPQ0R9nmAgZlK6z8xmR1CWVgo5f8r6s5E8BZLC2cdaRE X-Received: by 2002:a62:4dc5:: with SMTP id a188mr29097677pfb.8.1558355182369; Mon, 20 May 2019 05:26:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558355182; cv=none; d=google.com; s=arc-20160816; b=Mf84tzNx5fsPy+R2LtEL89egbNJqNbNWuewpGiAtuH1qjsrEiLC7H2Ax/kbQov5sm3 sCWfbhJZsmhmc4+h8apXloHqMTpOtyHjIOp+tHIduyQIWwVH1JqQnaPCavfPjcV7mgE9 kr2VXvPSMFo/FqX52tgNe/GQoS9QaCs30T7Ua8aNRfsd//Ighoi0dHpRD74mV23hX66L SpIQDsypYDH8L9r6bkObRW/2PwuJl9SrC+AgH9MvjtxPqn3wG3QE4LssbBbNsmrQ7Fbm jbu4VlbY14yYvqUb5Kt/KEZdlS3cfIzYE7APJHqhV0a3zxYuhYKdEihyiIaBnla6PUc+ y6lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=02LvYz70vCMxIneatfDkKPDNhFlKvx9KqhzaTw45TnU=; b=rj4W+s4XU1/A90V+7UrsJrHxKpDihZXPAf72emVMbCdE3DwrKZBmFV+nJyZV0Utt03 Pni27arDzsZ3iOjN5tY5lUFpYbrV9smHh1hZL/yh2ObRqTZ11iwAY67k4kO2p6kpTrWK aN0aG0qXZVYJNckGP+mxxdHcKKLcKZka3akyBG/bXHl7DocVvm5cQuDdbccB8CcR5Vqi XELq8+BYlIFbbHR91gzyN6GK23pZB9HDlRDxjKrEkyJHeHYXGHJo3nsO020q0Nw+B4iG TXhz8jvmBaPQYDZYo6axyFc5gBB4v9zwOv8/SwdbuWsujKiVksXnJqygtRUa/3FDYG2L TU3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ytd3YYQf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v13si17210654plo.429.2019.05.20.05.26.07; Mon, 20 May 2019 05:26:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ytd3YYQf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388877AbfETMYg (ORCPT + 99 others); Mon, 20 May 2019 08:24:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:39452 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388137AbfETMYe (ORCPT ); Mon, 20 May 2019 08:24:34 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 80CAE20645; Mon, 20 May 2019 12:24:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558355074; bh=VpgFCPF+VQV+9StQj8r5gpwZ4Ry5MHG0rcvGOeYFJvY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ytd3YYQfyxup3OQxZ8JPU0ii97wDWT0ZRVz7Lb3IWr20wMFILNsFdxSFdmLZJs2Fd Ks8OYbD0//zpLOWgcqNmGNBx2yu5N8aO3xHti2HLSJhR1N/7X1+19nj6oTKcSnzgkn CfwvBW5tD29qWH6r0hkgxYCYv2PvsPXS4FEmJOxA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sriram Rajagopalan , Theodore Tso , stable@kernel.org Subject: [PATCH 4.19 085/105] ext4: zero out the unused memory region in the extent tree block Date: Mon, 20 May 2019 14:14:31 +0200 Message-Id: <20190520115253.137578627@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190520115247.060821231@linuxfoundation.org> References: <20190520115247.060821231@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sriram Rajagopalan commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. This commit zeroes out the unused memory region in the buffer_head corresponding to the extent metablock after writing the extent header and the corresponding extent node entries. This is done to prevent random uninitialized data from getting into the filesystem when the extent block is synced. This fixes CVE-2019-11833. Signed-off-by: Sriram Rajagopalan Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/extents.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *hand __le32 border; ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ int err = 0; + size_t ext_size = 0; /* make decision: where to split? */ /* FIXME: now decision is simplest: at current extent */ @@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *hand le16_add_cpu(&neh->eh_entries, m); } + /* zero out unused area in the extent block */ + ext_size = sizeof(struct ext4_extent_header) + + sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh); @@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *hand sizeof(struct ext4_extent_idx) * m); le16_add_cpu(&neh->eh_entries, m); } + /* zero out unused area in the extent block */ + ext_size = sizeof(struct ext4_extent_header) + + (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); + memset(bh->b_data + ext_size, 0, + inode->i_sb->s_blocksize - ext_size); ext4_extent_block_csum_set(inode, neh); set_buffer_uptodate(bh); unlock_buffer(bh); @@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_ ext4_fsblk_t newblock, goal = 0; struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; int err = 0; + size_t ext_size = 0; /* Try to prepend new index to old one */ if (ext_depth(inode)) @@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_ goto out; } + ext_size = sizeof(EXT4_I(inode)->i_data); /* move top-level index/leaf into new block */ - memmove(bh->b_data, EXT4_I(inode)->i_data, - sizeof(EXT4_I(inode)->i_data)); + memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); + /* zero out unused area in the extent block */ + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); /* set size of new block */ neh = ext_block_hdr(bh);