ext4: CVE-2018-10877

ext4: verify the depth of extent tree in ext4_find_extent() Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10877 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=d69a9df614fc68741efcb0fcc020f05caa99d668 Change-Id: Ib5d6b1a6167e46d985e01733eae2699696703b67 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-22 10:13:27 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-22 11:53:28 +0200
commit: 2c329b1318ffde5f610dadddfdf60d9785576308 (patch)
tree: 247addf84a8305a1c9307246d85cc4a67fa97da2
parent: d7718a606abe9feb449eb74c35790d10fe99d696 (diff)
download: enea-kernel-cache-2c329b1318ffde5f610dadddfdf60d9785576308.tar.gz
1 files changed, 59 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch b/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
new file mode 100644
index 0000000..d0ce723
--- /dev/null
+++ b/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
@@ -0,0 +1,59 @@
+From d69a9df614fc68741efcb0fcc020f05caa99d668 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 14 Jun 2018 12:55:10 -0400
+Subject: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent()
+commit bc890a60247171294acc0bd67d211fa4b88d40ba upstream.
+If there is a corupted file system where the claimed depth of the
+extent tree is -1, this can cause a massive buffer overrun leading to
+sadness.
+This addresses CVE-2018-10877.
+https://bugzilla.kernel.org/show_bug.cgi?id=199417
+CVE: CVE-2018-10877
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=d69a9df614fc68741efcb0fcc020f05caa99d668]
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/ext4_extents.h | 1 +
+ fs/ext4/extents.c      | 6 ++++++
+ 2 files changed, 7 insertions(+)
+diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
+index 8ecf84b8f5a1..a284fb28944b 100644
+--- a/fs/ext4/ext4_extents.h
+++ b/fs/ext4/ext4_extents.h
+@@ -103,6 +103,7 @@ struct ext4_extent_header {
+ };
+ 
+ #define EXT4_EXT_MAGIC         cpu_to_le16(0xf30a)
+#define EXT4_MAX_EXTENT_DEPTH 5
+ 
+ #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
+        (sizeof(struct ext4_extent_header) + \
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 883e89a903d1..5592b7726241 100644
+--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
+@@ -881,6 +881,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
+ 
+        eh = ext_inode_hdr(inode);
+        depth = ext_depth(inode);
+       if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
+               EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
+                                depth);
+               ret = -EFSCORRUPTED;
+               goto err;
+       }
+ 
+        if (path) {
+                ext4_ext_drop_refs(path);
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-22 10:13:27 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-22 11:53:28 +0200
commit	2c329b1318ffde5f610dadddfdf60d9785576308 (patch)
tree	247addf84a8305a1c9307246d85cc4a67fa97da2
parent	d7718a606abe9feb449eb74c35790d10fe99d696 (diff)
download	enea-kernel-cache-2c329b1318ffde5f610dadddfdf60d9785576308.tar.gz

diff --git a/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch b/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch new file mode 100644 index 0000000..d0ce723 --- /dev/null +++ b/patches/cve/CVE-2018-10877-ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
@@ -0,0 +1,59 @@
	1	From d69a9df614fc68741efcb0fcc020f05caa99d668 Mon Sep 17 00:00:00 2001
	2	From: Theodore Ts'o <tytso@mit.edu>
	3	Date: Thu, 14 Jun 2018 12:55:10 -0400
	4	Subject: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent()
	5
	6	commit bc890a60247171294acc0bd67d211fa4b88d40ba upstream.
	7
	8	If there is a corupted file system where the claimed depth of the
	9	extent tree is -1, this can cause a massive buffer overrun leading to
	10	sadness.
	11
	12	This addresses CVE-2018-10877.
	13
	14	https://bugzilla.kernel.org/show_bug.cgi?id=199417
	15
	16	CVE: CVE-2018-10877
	17	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=d69a9df614fc68741efcb0fcc020f05caa99d668]
	18
	19	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	20	Cc: stable@kernel.org
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	23	---
	24	fs/ext4/ext4_extents.h \| 1 +
	25	fs/ext4/extents.c \| 6 ++++++
	26	2 files changed, 7 insertions(+)
	27
	28	diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
	29	index 8ecf84b8f5a1..a284fb28944b 100644
	30	--- a/fs/ext4/ext4_extents.h
	31	+++ b/fs/ext4/ext4_extents.h
	32	@@ -103,6 +103,7 @@ struct ext4_extent_header {
	33	};
	34
	35	#define EXT4_EXT_MAGIC cpu_to_le16(0xf30a)
	36	+#define EXT4_MAX_EXTENT_DEPTH 5
	37
	38	#define EXT4_EXTENT_TAIL_OFFSET(hdr) \
	39	(sizeof(struct ext4_extent_header) + \
	40	diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
	41	index 883e89a903d1..5592b7726241 100644
	42	--- a/fs/ext4/extents.c
	43	+++ b/fs/ext4/extents.c
	44	@@ -881,6 +881,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
	45
	46	eh = ext_inode_hdr(inode);
	47	depth = ext_depth(inode);
	48	+ if (depth < 0 \|\| depth > EXT4_MAX_EXTENT_DEPTH) {
	49	+ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
	50	+ depth);
	51	+ ret = -EFSCORRUPTED;
	52	+ goto err;
	53	+ }
	54
	55	if (path) {
	56	ext4_ext_drop_refs(path);
	57	--
	58	2.20.1
	59