[PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex

linux-ext4.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info()
@ 2012-01-09 23:47 Xi Wang
  2012-01-10 16:54 ` Ted Ts'o
  0 siblings, 1 reply; 2+ messages in thread
From: Xi Wang @ 2012-01-09 23:47 UTC (permalink / raw)
  To: Andreas Dilger, Theodore Ts'o
  Cc: linux-ext4, linux-kernel, Xi Wang, stable

Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.

	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
	groups_per_flex = 1 << sbi->s_log_groups_per_flex;

	if (groups_per_flex < 2) { ... }

This patch fixes two potential issues in the previous commit.

1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount.  That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.

2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways.  Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.

	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
	if (groups_per_flex == 0 || groups_per_flex == 1) {

We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original.  GCC keeps the check, but
there is no guarantee that future versions will do the same.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: stable@vger.kernel.org
---
BTW, the patch does not limit s_log_groups_per_flex too much, so
groups_per_flex could be as large as 1 << 31.  When calculating
flex_group_count, can

	sbi->s_groups_count + groups_per_flex

overflow and cause any problem?
---
 fs/ext4/super.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 64e2529..ecea4c9 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2005,17 +2005,16 @@ static int ext4_fill_flex_info(struct super_block *sb)
 	struct ext4_group_desc *gdp = NULL;
 	ext4_group_t flex_group_count;
 	ext4_group_t flex_group;
-	int groups_per_flex = 0;
+	unsigned int groups_per_flex = 0;
 	size_t size;
 	int i;

 	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
-	groups_per_flex = 1 << sbi->s_log_groups_per_flex;

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info()
  2012-01-09 23:47 [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info() Xi Wang
@ 2012-01-10 16:54 ` Ted Ts'o
  0 siblings, 0 replies; 2+ messages in thread
From: Ted Ts'o @ 2012-01-10 16:54 UTC (permalink / raw)
  To: Xi Wang; +Cc: Andreas Dilger, linux-ext4, linux-kernel, stable

On Mon, Jan 09, 2012 at 06:47:20PM -0500, Xi Wang wrote:
> Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
> zero when trying to mount a corrupted file system") fixes CVE-2009-4307
> by performing a sanity check on s_log_groups_per_flex, since it can be
> set to a bogus value by an attacker.
> 
> 	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 
> 	if (groups_per_flex < 2) { ... }
> 
> This patch fixes two potential issues in the previous commit.
> 
> 1) The sanity check might only work on architectures like PowerPC.
> On x86, 5 bits are used for the shifting amount.  That means, given a
> large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
> is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
> leaving s_log_groups_per_flex and groups_per_flex inconsistent.
> 
> 2) The sanity check relies on undefined behavior, i.e., oversized shift.
> A standard-confirming C compiler could rewrite the check in unexpected
> ways.  Consider the following equivalent form, assuming groups_per_flex
> is unsigned for simplicity.
> 
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 	if (groups_per_flex == 0 || groups_per_flex == 1) {
> 
> We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
> completely optimize away the check groups_per_flex == 0, leaving the
> patched code as vulnerable as the original.  GCC keeps the check, but
> there is no guarantee that future versions will do the same.
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: stable@vger.kernel.org

Thanks, applied.  And thanks for the expanded commit description!

		      	     	     - Ted

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-01-10 16:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-09 23:47 [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info() Xi Wang
2012-01-10 16:54 ` Ted Ts'o

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).