From: Ted Ts'o <tytso@mit.edu>
To: Xi Wang <xi.wang@gmail.com>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info()
Date: Tue, 10 Jan 2012 11:54:40 -0500 [thread overview]
Message-ID: <20120110165440.GA6034@thunk.org> (raw)
In-Reply-To: <1326152840-1188-1-git-send-email-xi.wang@gmail.com>
On Mon, Jan 09, 2012 at 06:47:20PM -0500, Xi Wang wrote:
> Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
> zero when trying to mount a corrupted file system") fixes CVE-2009-4307
> by performing a sanity check on s_log_groups_per_flex, since it can be
> set to a bogus value by an attacker.
>
> sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> groups_per_flex = 1 << sbi->s_log_groups_per_flex;
>
> if (groups_per_flex < 2) { ... }
>
> This patch fixes two potential issues in the previous commit.
>
> 1) The sanity check might only work on architectures like PowerPC.
> On x86, 5 bits are used for the shifting amount. That means, given a
> large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
> is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
> leaving s_log_groups_per_flex and groups_per_flex inconsistent.
>
> 2) The sanity check relies on undefined behavior, i.e., oversized shift.
> A standard-confirming C compiler could rewrite the check in unexpected
> ways. Consider the following equivalent form, assuming groups_per_flex
> is unsigned for simplicity.
>
> groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> if (groups_per_flex == 0 || groups_per_flex == 1) {
>
> We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
> completely optimize away the check groups_per_flex == 0, leaving the
> patched code as vulnerable as the original. GCC keeps the check, but
> there is no guarantee that future versions will do the same.
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: stable@vger.kernel.org
Thanks, applied. And thanks for the expanded commit description!
- Ted
prev parent reply other threads:[~2012-01-10 16:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-09 23:47 [PATCH RESEND] ext4: fix undefined behavior in ext4_fill_flex_info() Xi Wang
2012-01-10 16:54 ` Ted Ts'o [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120110165440.GA6034@thunk.org \
--to=tytso@mit.edu \
--cc=adilger.kernel@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xi.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).