From: Ted Ts'o <tytso@mit.edu>
To: Xi Wang <xi.wang@gmail.com>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info()
Date: Tue, 10 Jan 2012 11:54:40 -0500 [thread overview]
Message-ID: <20120110165440.GA6034@thunk.org> (raw)
In-Reply-To: <1326152840-1188-1-git-send-email-xi.wang@gmail.com>
On Mon, Jan 09, 2012 at 06:47:20PM -0500, Xi Wang wrote:
> Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
> zero when trying to mount a corrupted file system") fixes CVE-2009-4307
> by performing a sanity check on s_log_groups_per_flex, since it can be
> set to a bogus value by an attacker.
>
> sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> groups_per_flex = 1 << sbi->s_log_groups_per_flex;
>
> if (groups_per_flex < 2) { ... }
>
> This patch fixes two potential issues in the previous commit.
>
> 1) The sanity check might only work on architectures like PowerPC.
> On x86, 5 bits are used for the shifting amount. That means, given a
> large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
> is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
> leaving s_log_groups_per_flex and groups_per_flex inconsistent.
>
> 2) The sanity check relies on undefined behavior, i.e., oversized shift.
> A standard-confirming C compiler could rewrite the check in unexpected
> ways. Consider the following equivalent form, assuming groups_per_flex
> is unsigned for simplicity.
>
> groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> if (groups_per_flex == 0 || groups_per_flex == 1) {
>
> We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
> completely optimize away the check groups_per_flex == 0, leaving the
> patched code as vulnerable as the original. GCC keeps the check, but
> there is no guarantee that future versions will do the same.
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: stable@vger.kernel.org
Thanks, applied. And thanks for the expanded commit description!
- Ted
prev parent reply other threads:[~2012-01-10 16:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-09 23:47 [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info() Xi Wang
2012-01-09 23:47 ` Xi Wang
2012-01-10 16:54 ` Ted Ts'o [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120110165440.GA6034@thunk.org \
--to=tytso@mit.edu \
--cc=adilger.kernel@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xi.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.