From: Greg Hackmann <ghackmann@android.com>
To: stable@vger.kernel.org
Cc: Theodore Ts'o <tytso@mit.edu>,
Ben Hutchings <ben@decadent.org.uk>,
Greg Hackmann <ghackmann@google.com>
Subject: [PATCH 3.18.y 08/10] ext4: add more inode number paranoia checks
Date: Thu, 4 Oct 2018 10:53:18 -0700 [thread overview]
Message-ID: <20181004175320.181881-9-ghackmann@google.com> (raw)
In-Reply-To: <20181004175320.181881-1-ghackmann@google.com>
From: Theodore Ts'o <tytso@mit.edu>
commit c37e9e013469521d9adb932d17a1795c139b36db upstream.
If there is a directory entry pointing to a system inode (such as a
journal inode), complain and declare the file system to be corrupted.
Also, if the superblock's first inode number field is too small,
refuse to mount the file system.
This addresses CVE-2018-10882.
https://bugzilla.kernel.org/show_bug.cgi?id=200069
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
---
fs/ext4/ext4.h | 5 -----
fs/ext4/inode.c | 3 ++-
fs/ext4/super.c | 5 +++++
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index bd997b3d6a6f..beea7a33f5ee 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1386,11 +1386,6 @@ static inline struct timespec ext4_current_time(struct inode *inode)
static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino)
{
return ino == EXT4_ROOT_INO ||
- ino == EXT4_USR_QUOTA_INO ||
- ino == EXT4_GRP_QUOTA_INO ||
- ino == EXT4_BOOT_LOADER_INO ||
- ino == EXT4_JOURNAL_INO ||
- ino == EXT4_RESIZE_INO ||
(ino >= EXT4_FIRST_INO(sb) &&
ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count));
}
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index eb06f62fa95b..75dc9da78196 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3737,7 +3737,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
int inodes_per_block, inode_offset;
iloc->bh = NULL;
- if (!ext4_valid_inum(sb, inode->i_ino))
+ if (inode->i_ino < EXT4_ROOT_INO ||
+ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
return -EIO;
iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 6806b8937803..a9e8df7c529f 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3794,6 +3794,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
} else {
sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
+ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
+ ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
+ sbi->s_first_ino);
+ goto failed_mount;
+ }
if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
(!is_power_of_2(sbi->s_inode_size)) ||
(sbi->s_inode_size > blocksize)) {
--
2.19.0.605.g01d371f741-goog
next prev parent reply other threads:[~2018-10-05 0:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-04 17:53 [PATCH 3.18.y 00/10] recent ext4 CVE fixes Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 01/10] ext4: only look at the bg_flags field if it is valid Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 02/10] ext4: fix check to prevent initializing reserved inodes Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 03/10] ext4: always check block group bounds in ext4_init_block_bitmap() Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 04/10] ext4: fix false negatives *and* false positives in ext4_check_descriptors() Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 05/10] ext4: add corruption check in ext4_xattr_set_entry() Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 06/10] ext4: always verify the magic number in xattr blocks Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 07/10] ext4: never move the system.data xattr out of the inode body Greg Hackmann
2018-10-04 17:53 ` Greg Hackmann [this message]
2018-10-04 17:53 ` [PATCH 3.18.y 09/10] jbd2: don't mark block as modified if the handle is out of credits Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 10/10] ext4: avoid running out of journal credits when appending to an inline file Greg Hackmann
2018-10-11 9:17 ` [PATCH 3.18.y 00/10] recent ext4 CVE fixes Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181004175320.181881-9-ghackmann@google.com \
--to=ghackmann@android.com \
--cc=ben@decadent.org.uk \
--cc=ghackmann@google.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).