Received: by 2002:a17:90a:9103:0:0:0:0 with SMTP id k3csp11811998pjo; Thu, 2 Jan 2020 14:42:26 -0800 (PST) X-Google-Smtp-Source: APXvYqxfRgV3K0+t1UOKeCmPsq6mJCrKztKhdOekdWMCbZJvH/gfTxJIbeopLRgTr6gYqJGZ65zF X-Received: by 2002:aca:814:: with SMTP id 20mr3226112oii.159.1578004946091; Thu, 02 Jan 2020 14:42:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578004946; cv=none; d=google.com; s=arc-20160816; b=bebbm4kpyKiaDfSemrYAhfPFDcUuLkRK791UDuTrkhQ/FAj5CwLl/yQqIJk+1IZDcg 5BxKOUwzKM6/qxYLRRj96DNQlYspSCxrTOe6s6TaKrTu678UKRHPUS+MN62Zndzev4jw pnx0v8FRaJf6EMeF2p4qFrTuzDO35RzP3GNGre1Nah/Cr4cchow6vTaLE8UTLZTvXeDA GWqr1E5kBwp+q3yG+NYCGKdRTbrhyuP5Kpia+W6FNmAM1d0IyOLucE+V+h9jN/JaqBdA zO0xveg8hRYZEubyJcfqz083/odK/XXKwrzBpkG8Z5FSXBN5QYlLqBqbMv4SY1RHAWVN ZjWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Hnv9kta+aj3sBzJX7R69QE1x6NdEKZedTxq1H8TnIeU=; b=QFfjxVQniF96TvJHluQLGYw8KlKXCag+fBSanc6K2iYdMDLFozQ4ROzRBrS7ZxkCHI MseMI+Q4V03bc7iFoZxcDOw83VuOSUNcxVCrqYbEkRRoRBaD4y1ZIY3H4v/z9lxTCzuv 4J/Xetjco/GTIYkI8aRkLGIxTYGAnOdsy96eUnpyBCXxsUCyj1aFrnl/IWw7c9qksamH 2CnllbWqT9zohkxNDYpI9s4TQcKsdF+xpj4QQ1aXB37Xsj3ov9BQ78A913MlgDUByGzp ZSS5zXCRi4izYq7W7cKeV1Kv0yVbt3XNqGFcr5c7Cw0OjBIZ848lbrvVL4c9T1lriLoC roew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vlBwve8i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b137si28722170oii.63.2020.01.02.14.42.10; Thu, 02 Jan 2020 14:42:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vlBwve8i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731197AbgABWiR (ORCPT + 99 others); Thu, 2 Jan 2020 17:38:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:51876 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731281AbgABWiO (ORCPT ); Thu, 2 Jan 2020 17:38:14 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 10E22222C3; Thu, 2 Jan 2020 22:38:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578004693; bh=srK+AwUov53SvNhhGdeEi7tX841wok/s60+s1aXhuaE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vlBwve8irORoQVtd7C5ZqOOU8gtHprZcIP3JZizjBm3e7OCzHkz4HfSdJVxLLTCAx MNoQBdlSMFidkiAhGz3wVwMfLrvBvkPsTop86FRqYH7JQBBGuNOvo8igQxLrFibDHf untPmMuqbybm3ehzbag2Kzcq32K0HAw0jCFUDDek= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Kara , Theodore Tso Subject: [PATCH 4.4 086/137] ext4: check for directory entries too close to block end Date: Thu, 2 Jan 2020 23:07:39 +0100 Message-Id: <20200102220558.244529402@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102220546.618583146@linuxfoundation.org> References: <20200102220546.618583146@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Kara commit 109ba779d6cca2d519c5dd624a3276d03e21948e upstream. ext4_check_dir_entry() currently does not catch a case when a directory entry ends so close to the block end that the header of the next directory entry would not fit in the remaining space. This can lead to directory iteration code trying to access address beyond end of current buffer head leading to oops. CC: stable@vger.kernel.org Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman --- fs/ext4/dir.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -75,6 +75,11 @@ int __ext4_check_dir_entry(const char *f error_msg = "rec_len is too small for name_len"; else if (unlikely(((char *) de - buf) + rlen > size)) error_msg = "directory entry overrun"; + else if (unlikely(((char *) de - buf) + rlen > + size - EXT4_DIR_REC_LEN(1) && + ((char *) de - buf) + rlen != size)) { + error_msg = "directory entry too close to block end"; + } else if (unlikely(le32_to_cpu(de->inode) > le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) error_msg = "inode out of bounds";