From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Cyrus-Session-Id: sloti22d1t05-2630128-1524406022-5-8365078868221903696 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-score: 0.0 X-Spam-hits: BAYES_00 -1.9, HEADER_FROM_DIFFERENT_DOMAINS 0.25, MAILING_LIST_MULTI -1, ME_NOAUTH 0.01, RCVD_IN_DNSWL_HI -5, LANGUAGES en, BAYES_USED global, SA_VERSION 3.4.0 X-Spam-source: IP='209.132.180.67', Host='vger.kernel.org', Country='US', FromHeader='org', MailFrom='org' X-Spam-charsets: plain='UTF-8' X-Resolved-to: greg@kroah.com X-Delivered-to: greg@kroah.com X-Mail-from: stable-owner@vger.kernel.org ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t= 1524406022; b=FPCVa4BRohvIPmZiqlLhh9mJkqcKH3zq/J+UtaP3IeV+u9n5KH 2q3p8OxGSxNihha7BPOmsulZboxIezjZhswEuczK1mF59Ak+Gcv/K8C9rq1MYUHu zeJ5DOYYJ8gZlBm/vegVrQMXdgwlxyhvc5Q9D+pqnWC+PPvFWIGfBvChZd52U6i7 XgFzWxGlR3DJ8p+Lu209zZZfIwLOIXbWiZXINozrhNN4Cq157Lw/5SO7VkKNgJAT YWLUOZYsFcy3JtCDoK3EsptUYAEinRGbnTHJmy79K59j+T5CBzNsR5xPzp3cMOnn TrOc/MPJUYeRo5v+KBS3g1kYL+46MEn2QZZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-type:sender :list-id; s=fm2; t=1524406022; bh=ro4iizLPQD3tPARuJn8EeMuN2944N6 L6ez+Qge3/ou0=; b=U/L0aa55vW/0J1cJuG6oz0kR6c0SB3beDpO7DJx43ks26N 0ooiTbQ+8QVPNMdPpfFR6oShikmBZFux2sOFH5dze3if7/YqPd5dil5wUW+25cxh KCvz0zdcAqrEZhIoD6sC0RKv1JpB5Jw6vPFdQPaLbLLqofELVA/Dpv8+BOzhgUHM oaP0Wo5B60pMHm1XiUk+FKw61ISs1XFivPma8pfip1Z9VvN5RpkOR5JU40D4qcLB qOB4rX98T+2Gc97+IwlZzy9cST9E+9ilNqfSRMX2X/so1Zcid9B3P9zpweNjK2dr Yk8aD2BNcvTRzn3OXb7HfqIUqDPd/4nRHwCHMvMw== ARC-Authentication-Results: i=1; mx6.messagingengine.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=none (p=none,has-list-id=yes,d=none) header.from=linuxfoundation.org; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-cm=none score=0; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=linuxfoundation.org header.result=pass header_is_org_domain=yes; x-vs=clean score=-100 state=0 Authentication-Results: mx6.messagingengine.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=none (p=none,has-list-id=yes,d=none) header.from=linuxfoundation.org; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-cm=none score=0; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=linuxfoundation.org header.result=pass header_is_org_domain=yes; x-vs=clean score=-100 state=0 X-ME-VSCategory: clean X-CM-Envelope: MS4wfBnw6PANXCD7Xg7Fsqnr9YufK/4pMM51JZdNawro35+tCM+NEtLn2SIdimMLke8Ey1bbZTHjMpVv//286GykuO+hOrcMCXS9WiZpANSMKqBfiVvnmxwo +5YVfxphg3oB4OIaxSMIaUQaX2+jJRJH8NQPrkSAKKpdYJ7dHLreiM/i8r2V7PexfdlOyZTiqBul03q59Z1RKuKOJzznuy0N+f+xsP70eYkTGuVGqLPghV5i X-CM-Analysis: v=2.3 cv=FKU1Odgs c=1 sm=1 tr=0 a=UK1r566ZdBxH71SXbqIOeA==:117 a=UK1r566ZdBxH71SXbqIOeA==:17 a=IkcTkHD0fZMA:10 a=Kd1tUaAdevIA:10 a=VwQbUJbxAAAA:8 a=20KFwNOVAAAA:8 a=ag1SF4gXAAAA:8 a=tvyFtlzUmmTVg9JsgHoA:9 a=QEXdDO2ut3YA:10 a=AjGcO6oz07-iQ99wixmX:22 a=Yupwre4RP9_Eg_Bd0iYG:22 X-ME-CMScore: 0 X-ME-CMCategory: none Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755655AbeDVOGz (ORCPT ); Sun, 22 Apr 2018 10:06:55 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:51544 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755633AbeDVOGq (ORCPT ); Sun, 22 Apr 2018 10:06:46 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wen Xu , Theodore Tso Subject: [PATCH 4.14 079/164] ext4: fail ext4_iget for root directory if unallocated Date: Sun, 22 Apr 2018 15:52:26 +0200 Message-Id: <20180422135138.681699655@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135135.400265110@linuxfoundation.org> References: <20180422135135.400265110@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: stable-owner@vger.kernel.org X-Mailing-List: stable@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream. If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 Reported-by: Wen Xu Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4685,6 +4685,12 @@ struct inode *ext4_iget(struct super_blo goto bad_inode; raw_inode = ext4_raw_inode(&iloc); + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { + EXT4_ERROR_INODE(inode, "root inode unallocated"); + ret = -EFSCORRUPTED; + goto bad_inode; + } + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >