2022-08-22 11:52:35

by Jan Kara

Subject: [PATCH] ext4: Fix check for block being out of directory size

The check in __ext4_read_dirblock() for block being outside of directory
size was wrong because it compared block number against directory size
in bytes. Fix it.

Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size")
CVE: CVE-2022-1184
CC: [email protected]
Signed-off-by: Jan Kara <[email protected]>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 3a31b662f661..bc2e0612ec32 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode,
struct ext4_dir_entry *dirent;
int is_dx_block = 0;

- if (block >= inode->i_size) {
+ if (block >= inode->i_size >> inode->i_blkbits) {
ext4_error_inode(inode, func, line, block,
"Attempting to read directory block (%u) that is past i_size (%llu)",
block, inode->i_size);
--
2.35.3

2022-08-23 13:11:14

by Lukas Czerner

Subject: Re: [PATCH] ext4: Fix check for block being out of directory size

On Mon, Aug 22, 2022 at 01:48:32PM +0200, Jan Kara wrote:
> The check in __ext4_read_dirblock() for block being outside of directory
> size was wrong because it compared block number against directory size
> in bytes. Fix it.

Good catch, thanks!

Reviewed-by: Lukas Czerner <[email protected]>

>
> Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size")
> CVE: CVE-2022-1184
> CC: [email protected]
> Signed-off-by: Jan Kara <[email protected]>
> ---
> fs/ext4/namei.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> index 3a31b662f661..bc2e0612ec32 100644
> --- a/fs/ext4/namei.c
> +++ b/fs/ext4/namei.c
> @@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode,
> struct ext4_dir_entry *dirent;
> int is_dx_block = 0;
>
> - if (block >= inode->i_size) {
> + if (block >= inode->i_size >> inode->i_blkbits) {
> ext4_error_inode(inode, func, line, block,
> "Attempting to read directory block (%u) that is past i_size (%llu)",
> block, inode->i_size);
> --
> 2.35.3
>

2022-08-31 20:04:01

by Salvatore Bonaccorso

Subject: Re: [PATCH] ext4: Fix check for block being out of directory size

Hi,

On Tue, Aug 23, 2022 at 12:00:19PM +0200, Lukas Czerner wrote:
> On Mon, Aug 22, 2022 at 01:48:32PM +0200, Jan Kara wrote:
> > The check in __ext4_read_dirblock() for block being outside of directory
> > size was wrong because it compared block number against directory size
> > in bytes. Fix it.
>
> Good catch, thanks!
>
> Reviewed-by: Lukas Czerner <[email protected]>
>
> >
> > Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size")
> > CVE: CVE-2022-1184
> > CC: [email protected]
> > Signed-off-by: Jan Kara <[email protected]>
> > ---
> > fs/ext4/namei.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> > index 3a31b662f661..bc2e0612ec32 100644
> > --- a/fs/ext4/namei.c
> > +++ b/fs/ext4/namei.c
> > @@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode,
> > struct ext4_dir_entry *dirent;
> > int is_dx_block = 0;
> >
> > - if (block >= inode->i_size) {
> > + if (block >= inode->i_size >> inode->i_blkbits) {
> > ext4_error_inode(inode, func, line, block,
> > "Attempting to read directory block (%u) that is past i_size (%llu)",
> > block, inode->i_size);

Ted, is this on your radar to get applied for mainline and to the
stable trees?

Regards,
Salvatore

2022-09-29 15:06:25

by Theodore Ts'o

Subject: Re: [PATCH] ext4: Fix check for block being out of directory size

On Mon, 22 Aug 2022 13:48:32 +0200, Jan Kara wrote:
> The check in __ext4_read_dirblock() for block being outside of directory
> size was wrong because it compared block number against directory size
> in bytes. Fix it.
>
>

Applied, thanks!

[1/1] ext4: Fix check for block being out of directory size
commit: 013c07e4705fb994e5e56530af0bc6272884b5c1

Best regards,
--
Theodore Ts'o <[email protected]>