ext4: CVE-2018-1093

ext4: add validity checks for bitmap block numbers References: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=7dac4a1726a9c64a517d595c40e95e2d0d135f6f Change-Id: I0a523dd7ba303042c8c8ccb336c6816c8a2ef2bd Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-12 10:12:27 +0200
committer: Adrian Dudau <Adrian.Dudau@enea.com> 2018-10-16 17:37:11 +0200
commit: c9e50e25d48690db96a3ea529feb03ed2f786450 (patch)
tree: 8f33f72a14ee2659b122e6cdf091139c215dd605
parent: 5023a54ce43defbd88563e270f490a6c61ccf852 (diff)
download: enea-kernel-cache-c9e50e25d48690db96a3ea529feb03ed2f786450.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 4e5c57f..c97927f 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -15,3 +15,6 @@ patch CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
 #CVEs fixed in 4.9.96:
 patch CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
 patch CVE-2018-1108-random-fix-crng_ready-test.patch
+#CVEs fixed in 4.9.98:
+patch CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch
diff --git a/patches/cve/CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch b/patches/cve/CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch
new file mode 100644
index 0000000..d8fcb37
--- /dev/null
+++ b/patches/cve/CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch
@@ -0,0 +1,106 @@
+From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 26 Mar 2018 23:54:10 -0400
+Subject: [PATCH] ext4: add validity checks for bitmap block numbers
+An privileged attacker can cause a crash by mounting a crafted ext4
+image which triggers a out-of-bounds read in the function
+ext4_valid_block_bitmap() in fs/ext4/balloc.c.
+This issue has been assigned CVE-2018-1093.
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+CVE: CVE-2018-1093   
+Upstream-Status: Backport  
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/balloc.c | 16 ++++++++++++++--
+ fs/ext4/ialloc.c |  7 +++++++
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index f82c496..a33d8fb 100644
+--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
+@@ -338,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
+        /* check whether block bitmap block number is set */
+        blk = ext4_block_bitmap(sb, desc);
+        offset = blk - group_first_block;
+-       if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+       if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+           !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+                /* bad block bitmap */
+                return blk;
+ 
+        /* check whether the inode bitmap block number is set */
+        blk = ext4_inode_bitmap(sb, desc);
+        offset = blk - group_first_block;
+-       if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+       if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+           !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+                /* bad block bitmap */
+                return blk;
+ 
+        /* check whether the inode table block number is set */
+        blk = ext4_inode_table(sb, desc);
+        offset = blk - group_first_block;
+       if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+           EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
+               return blk;
+        next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
+                        EXT4_B2C(sbi, offset + sbi->s_itb_per_group),
+                        EXT4_B2C(sbi, offset));
+@@ -417,6 +422,7 @@ struct buffer_head *
+ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
+ {
+        struct ext4_group_desc *desc;
+       struct ext4_sb_info *sbi = EXT4_SB(sb);
+        struct buffer_head *bh;
+        ext4_fsblk_t bitmap_blk;
+        int err;
+@@ -425,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
+        if (!desc)
+                return ERR_PTR(-EFSCORRUPTED);
+        bitmap_blk = ext4_block_bitmap(sb, desc);
+       if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+           (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+               ext4_error(sb, "Invalid block bitmap block %llu in "
+                          "block_group %u", bitmap_blk, block_group);
+               return ERR_PTR(-EFSCORRUPTED);
+       }
+        bh = sb_getblk(sb, bitmap_blk);
+        if (unlikely(!bh)) {
+                ext4_error(sb, "Cannot get buffer for block bitmap - "
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 3fa9366..df92e3e 100644
+--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
+@@ -122,6 +122,7 @@ static struct buffer_head *
+ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
+ {
+        struct ext4_group_desc *desc;
+       struct ext4_sb_info *sbi = EXT4_SB(sb);
+        struct buffer_head *bh = NULL;
+        ext4_fsblk_t bitmap_blk;
+        int err;
+@@ -131,6 +132,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
+                return ERR_PTR(-EFSCORRUPTED);
+ 
+        bitmap_blk = ext4_inode_bitmap(sb, desc);
+       if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+           (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+               ext4_error(sb, "Invalid inode bitmap blk %llu in "
+                          "block_group %u", bitmap_blk, block_group);
+               return ERR_PTR(-EFSCORRUPTED);
+       }
+        bh = sb_getblk(sb, bitmap_blk);
+        if (unlikely(!bh)) {
+                ext4_error(sb, "Cannot read inode bitmap - "
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-12 10:12:27 +0200
committer	Adrian Dudau <Adrian.Dudau@enea.com>	2018-10-16 17:37:11 +0200
commit	c9e50e25d48690db96a3ea529feb03ed2f786450 (patch)
tree	8f33f72a14ee2659b122e6cdf091139c215dd605
parent	5023a54ce43defbd88563e270f490a6c61ccf852 (diff)
download	enea-kernel-cache-c9e50e25d48690db96a3ea529feb03ed2f786450.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 4e5c57f..c97927f 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -15,3 +15,6 @@ patch CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
15	#CVEs fixed in 4.9.96:	15	#CVEs fixed in 4.9.96:
16	patch CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch	16	patch CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
17	patch CVE-2018-1108-random-fix-crng_ready-test.patch	17	patch CVE-2018-1108-random-fix-crng_ready-test.patch
		18
		19	#CVEs fixed in 4.9.98:
		20	patch CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch


diff --git a/patches/cve/CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch b/patches/cve/CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch new file mode 100644 index 0000000..d8fcb37 --- /dev/null +++ b/patches/cve/CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch
@@ -0,0 +1,106 @@
		1	From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001
		2	From: Theodore Ts'o <tytso@mit.edu>
		3	Date: Mon, 26 Mar 2018 23:54:10 -0400
		4	Subject: [PATCH] ext4: add validity checks for bitmap block numbers
		5
		6	An privileged attacker can cause a crash by mounting a crafted ext4
		7	image which triggers a out-of-bounds read in the function
		8	ext4_valid_block_bitmap() in fs/ext4/balloc.c.
		9
		10	This issue has been assigned CVE-2018-1093.
		11
		12	BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
		13	BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782
		14	Reported-by: Wen Xu <wen.xu@gatech.edu>
		15	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
		16	Cc: stable@vger.kernel.org
		17
		18	CVE: CVE-2018-1093
		19	Upstream-Status: Backport
		20	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		21	---
		22	fs/ext4/balloc.c \| 16 ++++++++++++++--
		23	fs/ext4/ialloc.c \| 7 +++++++
		24	2 files changed, 21 insertions(+), 2 deletions(-)
		25
		26	diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
		27	index f82c496..a33d8fb 100644
		28	--- a/fs/ext4/balloc.c
		29	+++ b/fs/ext4/balloc.c
		30	@@ -338,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
		31	/* check whether block bitmap block number is set */
		32	blk = ext4_block_bitmap(sb, desc);
		33	offset = blk - group_first_block;
		34	- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
		35	+ if (offset < 0 \|\| EXT4_B2C(sbi, offset) >= sb->s_blocksize \|\|
		36	+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
		37	/* bad block bitmap */
		38	return blk;
		39
		40	/* check whether the inode bitmap block number is set */
		41	blk = ext4_inode_bitmap(sb, desc);
		42	offset = blk - group_first_block;
		43	- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
		44	+ if (offset < 0 \|\| EXT4_B2C(sbi, offset) >= sb->s_blocksize \|\|
		45	+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
		46	/* bad block bitmap */
		47	return blk;
		48
		49	/* check whether the inode table block number is set */
		50	blk = ext4_inode_table(sb, desc);
		51	offset = blk - group_first_block;
		52	+ if (offset < 0 \|\| EXT4_B2C(sbi, offset) >= sb->s_blocksize \|\|
		53	+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
		54	+ return blk;
		55	next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
		56	EXT4_B2C(sbi, offset + sbi->s_itb_per_group),
		57	EXT4_B2C(sbi, offset));
		58	@@ -417,6 +422,7 @@ struct buffer_head *
		59	ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
		60	{
		61	struct ext4_group_desc *desc;
		62	+ struct ext4_sb_info *sbi = EXT4_SB(sb);
		63	struct buffer_head *bh;
		64	ext4_fsblk_t bitmap_blk;
		65	int err;
		66	@@ -425,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
		67	if (!desc)
		68	return ERR_PTR(-EFSCORRUPTED);
		69	bitmap_blk = ext4_block_bitmap(sb, desc);
		70	+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) \|\|
		71	+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
		72	+ ext4_error(sb, "Invalid block bitmap block %llu in "
		73	+ "block_group %u", bitmap_blk, block_group);
		74	+ return ERR_PTR(-EFSCORRUPTED);
		75	+ }
		76	bh = sb_getblk(sb, bitmap_blk);
		77	if (unlikely(!bh)) {
		78	ext4_error(sb, "Cannot get buffer for block bitmap - "
		79	diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
		80	index 3fa9366..df92e3e 100644
		81	--- a/fs/ext4/ialloc.c
		82	+++ b/fs/ext4/ialloc.c
		83	@@ -122,6 +122,7 @@ static struct buffer_head *
		84	ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
		85	{
		86	struct ext4_group_desc *desc;
		87	+ struct ext4_sb_info *sbi = EXT4_SB(sb);
		88	struct buffer_head *bh = NULL;
		89	ext4_fsblk_t bitmap_blk;
		90	int err;
		91	@@ -131,6 +132,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
		92	return ERR_PTR(-EFSCORRUPTED);
		93
		94	bitmap_blk = ext4_inode_bitmap(sb, desc);
		95	+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) \|\|
		96	+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
		97	+ ext4_error(sb, "Invalid inode bitmap blk %llu in "
		98	+ "block_group %u", bitmap_blk, block_group);
		99	+ return ERR_PTR(-EFSCORRUPTED);
		100	+ }
		101	bh = sb_getblk(sb, bitmap_blk);
		102	if (unlikely(!bh)) {
		103	ext4_error(sb, "Cannot read inode bitmap - "
		104	--
		105	2.7.4
		106