ext4: CVE-2018-10878

ext4: always check block group bounds in ext4_init_block_bitmap() References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=819b23f1c501b17b9694325471789e6b5cc2d0d2 Change-Id: I1cb5fc73d9a23d4b3a1d414e09eaee21df441efe Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-12 15:03:55 +0200
committer: Adrian Dudau <Adrian.Dudau@enea.com> 2018-10-16 17:39:19 +0200
commit: 24146be922365586abe10ef58bee2198645abe5f (patch)
tree: c31e583077e1065ce547aec44eb2c6e84231edb0
parent: ec3c1f25090f5d8bf6084bb04bf56a5ce244b527 (diff)
download: enea-kernel-cache-24146be922365586abe10ef58bee2198645abe5f.tar.gz
2 files changed, 61 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index c774696..08429b4 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -29,3 +29,5 @@ patch CVE-2018-9518-NFC-llcp-Limit-size-of-SDP-URI.patch
 #CVEs fixed in 4.9.112:
 patch CVE-2018-10876-ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch
 patch CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
+patch CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
diff --git a/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
new file mode 100644
index 0000000..1ee0b63
--- /dev/null
+++ b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
@@ -0,0 +1,59 @@
+Date: Fri, 12 Oct 2018 14:28:19 +0200
+Subject: [PATCH] ext4: always check block group bounds in
+ ext4_init_block_bitmap() Regardless of whether the flex_bg feature is set, we
+ should always check to make sure the bits we are setting in the block bitmap
+ are within the block group bounds.
+https://bugzilla.kernel.org/show_bug.cgi?id=199865
+CVE: CVE-2018-10878
+Upstream-Status: Backport
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/balloc.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index e04ec86..a343fa0 100644
+--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
+@@ -183,7 +183,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
+        unsigned int bit, bit_max;
+        struct ext4_sb_info *sbi = EXT4_SB(sb);
+        ext4_fsblk_t start, tmp;
+-       int flex_bg = 0;
+        struct ext4_group_info *grp;
+ 
+        J_ASSERT_BH(bh, buffer_locked(bh));
+@@ -216,22 +215,19 @@ static int ext4_init_block_bitmap(struct super_block *sb,
+ 
+        start = ext4_group_first_block_no(sb, block_group);
+ 
+-       if (ext4_has_feature_flex_bg(sb))
+-               flex_bg = 1;
+-
+        /* Set bits for block and inode bitmaps, and inode table */
+        tmp = ext4_block_bitmap(sb, gdp);
+-       if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+       if (ext4_block_in_group(sb, tmp, block_group))
+                ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
+ 
+        tmp = ext4_inode_bitmap(sb, gdp);
+-       if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+       if (ext4_block_in_group(sb, tmp, block_group))
+                ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
+ 
+        tmp = ext4_inode_table(sb, gdp);
+        for (; tmp < ext4_inode_table(sb, gdp) +
+                     sbi->s_itb_per_group; tmp++) {
+-               if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+               if (ext4_block_in_group(sb, tmp, block_group))
+                        ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
+        }
+ 
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-12 15:03:55 +0200
committer	Adrian Dudau <Adrian.Dudau@enea.com>	2018-10-16 17:39:19 +0200
commit	24146be922365586abe10ef58bee2198645abe5f (patch)
tree	c31e583077e1065ce547aec44eb2c6e84231edb0
parent	ec3c1f25090f5d8bf6084bb04bf56a5ce244b527 (diff)
download	enea-kernel-cache-24146be922365586abe10ef58bee2198645abe5f.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index c774696..08429b4 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -29,3 +29,5 @@ patch CVE-2018-9518-NFC-llcp-Limit-size-of-SDP-URI.patch
29	#CVEs fixed in 4.9.112:	29	#CVEs fixed in 4.9.112:
30	patch CVE-2018-10876-ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch	30	patch CVE-2018-10876-ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch
31	patch CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch	31	patch CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
		32	patch CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
		33


diff --git a/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch new file mode 100644 index 0000000..1ee0b63 --- /dev/null +++ b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
@@ -0,0 +1,59 @@
		1	Date: Fri, 12 Oct 2018 14:28:19 +0200
		2	Subject: [PATCH] ext4: always check block group bounds in
		3	ext4_init_block_bitmap() Regardless of whether the flex_bg feature is set, we
		4	should always check to make sure the bits we are setting in the block bitmap
		5	are within the block group bounds.
		6
		7	https://bugzilla.kernel.org/show_bug.cgi?id=199865
		8
		9	CVE: CVE-2018-10878
		10	Upstream-Status: Backport
		11
		12	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
		13	Cc: stable@kernel.org
		14	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		15	---
		16	fs/ext4/balloc.c \| 10 +++-------
		17	1 file changed, 3 insertions(+), 7 deletions(-)
		18
		19	diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
		20	index e04ec86..a343fa0 100644
		21	--- a/fs/ext4/balloc.c
		22	+++ b/fs/ext4/balloc.c
		23	@@ -183,7 +183,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
		24	unsigned int bit, bit_max;
		25	struct ext4_sb_info *sbi = EXT4_SB(sb);
		26	ext4_fsblk_t start, tmp;
		27	- int flex_bg = 0;
		28	struct ext4_group_info *grp;
		29
		30	J_ASSERT_BH(bh, buffer_locked(bh));
		31	@@ -216,22 +215,19 @@ static int ext4_init_block_bitmap(struct super_block *sb,
		32
		33	start = ext4_group_first_block_no(sb, block_group);
		34
		35	- if (ext4_has_feature_flex_bg(sb))
		36	- flex_bg = 1;
		37	-
		38	/* Set bits for block and inode bitmaps, and inode table */
		39	tmp = ext4_block_bitmap(sb, gdp);
		40	- if (!flex_bg \|\| ext4_block_in_group(sb, tmp, block_group))
		41	+ if (ext4_block_in_group(sb, tmp, block_group))
		42	ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
		43
		44	tmp = ext4_inode_bitmap(sb, gdp);
		45	- if (!flex_bg \|\| ext4_block_in_group(sb, tmp, block_group))
		46	+ if (ext4_block_in_group(sb, tmp, block_group))
		47	ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
		48
		49	tmp = ext4_inode_table(sb, gdp);
		50	for (; tmp < ext4_inode_table(sb, gdp) +
		51	sbi->s_itb_per_group; tmp++) {
		52	- if (!flex_bg \|\| ext4_block_in_group(sb, tmp, block_group))
		53	+ if (ext4_block_in_group(sb, tmp, block_group))
		54	ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
		55	}
		56
		57	--
		58
		59