From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from youngberry.canonical.com ([91.189.89.112]:48656 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751533AbeENGlQ (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 14 May 2018 02:41:16 -0400
Received: from mail-it0-f70.google.com ([209.85.214.70])
        by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
        (Exim 4.76)
        (envelope-from <khalid.elmously@canonical.com>)
        id 1fI7AZ-0000lP-7b
        for stable@vger.kernel.org; Mon, 14 May 2018 06:41:15 +0000
Received: by mail-it0-f70.google.com with SMTP id 6-v6so11684293itl.6
        for <stable@vger.kernel.org>; Sun, 13 May 2018 23:41:15 -0700 (PDT)
Date: Mon, 14 May 2018 02:41:10 -0400
From: Khalid Elmously <khalid.elmously@canonical.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: 999@fuzzymail.xyz, Theodore Ts'o <tytso@mit.edu>,
        stable@vger.kernel.org
Subject: Re: [CVE-2018-1092][T/X/A/B/C] ext4: fail ext4_iget for root
 directory if unallocated
Message-ID: <20180514064109.GA10148@kbuntu>
References: <20180514052713.8801-1-khalid.elmously@canonical.com>
 <20180514052713.8801-2-khalid.elmously@canonical.com>
 <20180514061752.GB9153@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180514061752.GB9153@kroah.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On 2018-05-14 08:17:52 , Greg KH wrote:
> On Mon, May 14, 2018 at 01:27:13AM -0400, Khalid Elmously wrote:
> > From: Theodore Ts'o <tytso@mit.edu>
> > 
> > CVE-2018-1092
> > 
> > If the root directory has an i_links_count of zero, then when the file
> > system is mounted, then when ext4_fill_super() notices the problem and
> > tries to call iput() the root directory in the error return path,
> > ext4_evict_inode() will try to free the inode on disk, before all of
> > the file system structures are set up, and this will result in an OOPS
> > caused by a NULL pointer dereference.
> > 
> > This issue has been assigned CVE-2018-1092.
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=199179
> > https://bugzilla.redhat.com/show_bug.cgi?id=1560777
> > 
> > Reported-by: Wen Xu <wen.xu@gatech.edu>
> > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> > Cc: stable@vger.kernel.org
> > (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
> > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> > ---
> >  fs/ext4/inode.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> 
> Any specific reason you sent a patch that is already included in all of
> the active stable trees, to the stable mailing list?

Well I thought why not apply the patch again for _extra_ protection?

> 
> And nice fuzzymail address :)

Thanks :)



Seriously though: I mis-used git-send-email while sending a test patch to myself and ended up CC'ing the stable ML - apologies for the spam.

> 
> greg k-h

Khalid