diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-12 14:18:03 +0200 |
|---|---|---|
| committer | Adrian Dudau <Adrian.Dudau@enea.com> | 2018-10-16 17:38:56 +0200 |
| commit | ec3c1f25090f5d8bf6084bb04bf56a5ce244b527 (patch) | |
| tree | ef5b45270785b189cc306b71787ef198c745a4e7 | |
| parent | 71432d8efa1925bc5d239848cd8810eb8dc1f80a (diff) | |
| download | enea-kernel-cache-ec3c1f25090f5d8bf6084bb04bf56a5ce244b527.tar.gz | |
ext4: CVE-2018-10877
ext4: verify the depth of extent tree in ext4_find_extent()
References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bc890a60247171294acc0bd67d211fa4b88d40ba
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Change-Id: I688e9ce0a02f48c45f3cfa3259fa62a4b93532e6
| -rw-r--r-- | patches/cve/4.9.x.scc | 1 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch | 54 |
2 files changed, 55 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 959c87b..c774696 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -28,3 +28,4 @@ patch CVE-2018-9518-NFC-llcp-Limit-size-of-SDP-URI.patch | |||
| 28 | 28 | ||
| 29 | #CVEs fixed in 4.9.112: | 29 | #CVEs fixed in 4.9.112: |
| 30 | patch CVE-2018-10876-ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch | 30 | patch CVE-2018-10876-ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch |
| 31 | patch CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch | ||
diff --git a/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch b/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch new file mode 100644 index 0000000..cade63f --- /dev/null +++ b/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | From bc890a60247171294acc0bd67d211fa4b88d40ba Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Theodore Ts'o <tytso@mit.edu> | ||
| 3 | Date: Thu, 14 Jun 2018 12:55:10 -0400 | ||
| 4 | Subject: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent() | ||
| 5 | |||
| 6 | If there is a corupted file system where the claimed depth of the | ||
| 7 | extent tree is -1, this can cause a massive buffer overrun leading to | ||
| 8 | sadness. | ||
| 9 | |||
| 10 | This addresses CVE-2018-10877. | ||
| 11 | Upstream-Status: Backport | ||
| 12 | |||
| 13 | https://bugzilla.kernel.org/show_bug.cgi?id=199417 | ||
| 14 | |||
| 15 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
| 16 | Cc: stable@kernel.org | ||
| 17 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 18 | --- | ||
| 19 | fs/ext4/ext4_extents.h | 1 + | ||
| 20 | fs/ext4/extents.c | 6 ++++++ | ||
| 21 | 2 files changed, 7 insertions(+) | ||
| 22 | |||
| 23 | diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h | ||
| 24 | index 98fb0c1..adf6668 100644 | ||
| 25 | --- a/fs/ext4/ext4_extents.h | ||
| 26 | +++ b/fs/ext4/ext4_extents.h | ||
| 27 | @@ -91,6 +91,7 @@ struct ext4_extent_header { | ||
| 28 | }; | ||
| 29 | |||
| 30 | #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) | ||
| 31 | +#define EXT4_MAX_EXTENT_DEPTH 5 | ||
| 32 | |||
| 33 | #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ | ||
| 34 | (sizeof(struct ext4_extent_header) + \ | ||
| 35 | diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c | ||
| 36 | index c969275..08226f7 100644 | ||
| 37 | --- a/fs/ext4/extents.c | ||
| 38 | +++ b/fs/ext4/extents.c | ||
| 39 | @@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, | ||
| 40 | |||
| 41 | eh = ext_inode_hdr(inode); | ||
| 42 | depth = ext_depth(inode); | ||
| 43 | + if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { | ||
| 44 | + EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", | ||
| 45 | + depth); | ||
| 46 | + ret = -EFSCORRUPTED; | ||
| 47 | + goto err; | ||
| 48 | + } | ||
| 49 | |||
| 50 | if (path) { | ||
| 51 | ext4_ext_drop_refs(path); | ||
| 52 | -- | ||
| 53 | |||
| 54 | |||