* [CVE-2018-1092][T/X/A/B/C] ext4: fail ext4_iget for root directory if unallocated
[not found] <20180514052713.8801-1-khalid.elmously@canonical.com>
@ 2018-05-14 5:27 ` Khalid Elmously
2018-05-14 6:17 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Khalid Elmously @ 2018-05-14 5:27 UTC (permalink / raw)
To: 999; +Cc: Theodore Ts'o, stable
From: Theodore Ts'o <tytso@mit.edu>
CVE-2018-1092
If the root directory has an i_links_count of zero, then when the file
system is mounted, then when ext4_fill_super() notices the problem and
tries to call iput() the root directory in the error return path,
ext4_evict_inode() will try to free the inode on disk, before all of
the file system structures are set up, and this will result in an OOPS
caused by a NULL pointer dereference.
This issue has been assigned CVE-2018-1092.
https://bugzilla.kernel.org/show_bug.cgi?id=199179
https://bugzilla.redhat.com/show_bug.cgi?id=1560777
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
(cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 3d4d1dccc8a1..398faeff1938 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
goto bad_inode;
raw_inode = ext4_raw_inode(&iloc);
+ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+ EXT4_ERROR_INODE(inode, "root inode unallocated");
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
+
if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
--
2.17.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [CVE-2018-1092][T/X/A/B/C] ext4: fail ext4_iget for root directory if unallocated
2018-05-14 5:27 ` [CVE-2018-1092][T/X/A/B/C] ext4: fail ext4_iget for root directory if unallocated Khalid Elmously
@ 2018-05-14 6:17 ` Greg KH
2018-05-14 6:41 ` Khalid Elmously
0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2018-05-14 6:17 UTC (permalink / raw)
To: Khalid Elmously; +Cc: 999, Theodore Ts'o, stable
On Mon, May 14, 2018 at 01:27:13AM -0400, Khalid Elmously wrote:
> From: Theodore Ts'o <tytso@mit.edu>
>
> CVE-2018-1092
>
> If the root directory has an i_links_count of zero, then when the file
> system is mounted, then when ext4_fill_super() notices the problem and
> tries to call iput() the root directory in the error return path,
> ext4_evict_inode() will try to free the inode on disk, before all of
> the file system structures are set up, and this will result in an OOPS
> caused by a NULL pointer dereference.
>
> This issue has been assigned CVE-2018-1092.
>
> https://bugzilla.kernel.org/show_bug.cgi?id=199179
> https://bugzilla.redhat.com/show_bug.cgi?id=1560777
>
> Reported-by: Wen Xu <wen.xu@gatech.edu>
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> Cc: stable@vger.kernel.org
> (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
> fs/ext4/inode.c | 6 ++++++
> 1 file changed, 6 insertions(+)
Any specific reason you sent a patch that is already included in all of
the active stable trees, to the stable mailing list?
And nice fuzzymail address :)
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [CVE-2018-1092][T/X/A/B/C] ext4: fail ext4_iget for root directory if unallocated
2018-05-14 6:17 ` Greg KH
@ 2018-05-14 6:41 ` Khalid Elmously
0 siblings, 0 replies; 3+ messages in thread
From: Khalid Elmously @ 2018-05-14 6:41 UTC (permalink / raw)
To: Greg KH; +Cc: 999, Theodore Ts'o, stable
On 2018-05-14 08:17:52 , Greg KH wrote:
> On Mon, May 14, 2018 at 01:27:13AM -0400, Khalid Elmously wrote:
> > From: Theodore Ts'o <tytso@mit.edu>
> >
> > CVE-2018-1092
> >
> > If the root directory has an i_links_count of zero, then when the file
> > system is mounted, then when ext4_fill_super() notices the problem and
> > tries to call iput() the root directory in the error return path,
> > ext4_evict_inode() will try to free the inode on disk, before all of
> > the file system structures are set up, and this will result in an OOPS
> > caused by a NULL pointer dereference.
> >
> > This issue has been assigned CVE-2018-1092.
> >
> > https://bugzilla.kernel.org/show_bug.cgi?id=199179
> > https://bugzilla.redhat.com/show_bug.cgi?id=1560777
> >
> > Reported-by: Wen Xu <wen.xu@gatech.edu>
> > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> > Cc: stable@vger.kernel.org
> > (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
> > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> > ---
> > fs/ext4/inode.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
>
> Any specific reason you sent a patch that is already included in all of
> the active stable trees, to the stable mailing list?
Well I thought why not apply the patch again for _extra_ protection?
>
> And nice fuzzymail address :)
Thanks :)
Seriously though: I mis-used git-send-email while sending a test patch to myself and ended up CC'ing the stable ML - apologies for the spam.
>
> greg k-h
Khalid
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-05-14 6:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20180514052713.8801-1-khalid.elmously@canonical.com>
2018-05-14 5:27 ` [CVE-2018-1092][T/X/A/B/C] ext4: fail ext4_iget for root directory if unallocated Khalid Elmously
2018-05-14 6:17 ` Greg KH
2018-05-14 6:41 ` Khalid Elmously
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).