ext4: CVE-2018-10882

ext4: add more inode number paranoia checks Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10882 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=c24aab6d86640ccf321b87be6096319f55b16274 Change-Id: Id9549c0bd816773613635d5762e9336a7485ab9e Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-22 10:56:13 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-22 12:28:38 +0200
commit: c850dbdaf366fcd0917b7772e8dac35b7f1f31e3 (patch)
tree: a963be7815dfed73a06d820d5c928031b7164fef
parent: b01da2a61cddb8c63483c478bea25083f34fbbcb (diff)
download: enea-kernel-cache-c850dbdaf366fcd0917b7772e8dac35b7f1f31e3.tar.gz
1 files changed, 79 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch b/patches/cve/CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch
new file mode 100644
index 0000000..c69fd36
--- /dev/null
+++ b/patches/cve/CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch
@@ -0,0 +1,79 @@
+From c24aab6d86640ccf321b87be6096319f55b16274 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 17 Jun 2018 00:41:14 -0400
+Subject: [PATCH] ext4: add more inode number paranoia checks
+commit c37e9e013469521d9adb932d17a1795c139b36db upstream.
+If there is a directory entry pointing to a system inode (such as a
+journal inode), complain and declare the file system to be corrupted.
+Also, if the superblock's first inode number field is too small,
+refuse to mount the file system.
+This addresses CVE-2018-10882.
+https://bugzilla.kernel.org/show_bug.cgi?id=200069
+CVE: CVE-2018-10882
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=c24aab6d86640ccf321b87be6096319f55b16274]
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/ext4.h  | 5 -----
+ fs/ext4/inode.c | 3 ++-
+ fs/ext4/super.c | 5 +++++
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index db389611f8bc..0abb30d19fa1 100644
+--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
+@@ -1542,11 +1542,6 @@ static inline struct ext4_inode_info *EXT4_I(struct inode *inode)
+ static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino)
+ {
+        return ino == EXT4_ROOT_INO ||
+-               ino == EXT4_USR_QUOTA_INO ||
+-               ino == EXT4_GRP_QUOTA_INO ||
+-               ino == EXT4_BOOT_LOADER_INO ||
+-               ino == EXT4_JOURNAL_INO ||
+-               ino == EXT4_RESIZE_INO ||
+                (ino >= EXT4_FIRST_INO(sb) &&
+                 ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count));
+ }
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 5b28153eb0fd..c2efe4d2ad87 100644
+--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
+@@ -4455,7 +4455,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
+        int                     inodes_per_block, inode_offset;
+ 
+        iloc->bh = NULL;
+-       if (!ext4_valid_inum(sb, inode->i_ino))
+       if (inode->i_ino < EXT4_ROOT_INO ||
+           inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
+                return -EFSCORRUPTED;
+ 
+        iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index fefcfa9fe408..6933efbb582f 100644
+--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
+@@ -3811,6 +3811,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+        } else {
+                sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
+                sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
+               if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
+                       ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
+                                sbi->s_first_ino);
+                       goto failed_mount;
+               }
+                if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
+                    (!is_power_of_2(sbi->s_inode_size)) ||
+                    (sbi->s_inode_size > blocksize)) {
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-22 10:56:13 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-22 12:28:38 +0200
commit	c850dbdaf366fcd0917b7772e8dac35b7f1f31e3 (patch)
tree	a963be7815dfed73a06d820d5c928031b7164fef
parent	b01da2a61cddb8c63483c478bea25083f34fbbcb (diff)
download	enea-kernel-cache-c850dbdaf366fcd0917b7772e8dac35b7f1f31e3.tar.gz

diff --git a/patches/cve/CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch b/patches/cve/CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch new file mode 100644 index 0000000..c69fd36 --- /dev/null +++ b/patches/cve/CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch
@@ -0,0 +1,79 @@
	1	From c24aab6d86640ccf321b87be6096319f55b16274 Mon Sep 17 00:00:00 2001
	2	From: Theodore Ts'o <tytso@mit.edu>
	3	Date: Sun, 17 Jun 2018 00:41:14 -0400
	4	Subject: [PATCH] ext4: add more inode number paranoia checks
	5
	6	commit c37e9e013469521d9adb932d17a1795c139b36db upstream.
	7
	8	If there is a directory entry pointing to a system inode (such as a
	9	journal inode), complain and declare the file system to be corrupted.
	10
	11	Also, if the superblock's first inode number field is too small,
	12	refuse to mount the file system.
	13
	14	This addresses CVE-2018-10882.
	15
	16	https://bugzilla.kernel.org/show_bug.cgi?id=200069
	17
	18	CVE: CVE-2018-10882
	19	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=c24aab6d86640ccf321b87be6096319f55b16274]
	20
	21	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	22	Cc: stable@kernel.org
	23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	24	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	25	---
	26	fs/ext4/ext4.h \| 5 -----
	27	fs/ext4/inode.c \| 3 ++-
	28	fs/ext4/super.c \| 5 +++++
	29	3 files changed, 7 insertions(+), 6 deletions(-)
	30
	31	diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
	32	index db389611f8bc..0abb30d19fa1 100644
	33	--- a/fs/ext4/ext4.h
	34	+++ b/fs/ext4/ext4.h
	35	@@ -1542,11 +1542,6 @@ static inline struct ext4_inode_info EXT4_I(struct inode inode)
	36	static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino)
	37	{
	38	return ino == EXT4_ROOT_INO \|\|
	39	- ino == EXT4_USR_QUOTA_INO \|\|
	40	- ino == EXT4_GRP_QUOTA_INO \|\|
	41	- ino == EXT4_BOOT_LOADER_INO \|\|
	42	- ino == EXT4_JOURNAL_INO \|\|
	43	- ino == EXT4_RESIZE_INO \|\|
	44	(ino >= EXT4_FIRST_INO(sb) &&
	45	ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count));
	46	}
	47	diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
	48	index 5b28153eb0fd..c2efe4d2ad87 100644
	49	--- a/fs/ext4/inode.c
	50	+++ b/fs/ext4/inode.c
	51	@@ -4455,7 +4455,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
	52	int inodes_per_block, inode_offset;
	53
	54	iloc->bh = NULL;
	55	- if (!ext4_valid_inum(sb, inode->i_ino))
	56	+ if (inode->i_ino < EXT4_ROOT_INO \|\|
	57	+ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
	58	return -EFSCORRUPTED;
	59
	60	iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
	61	diff --git a/fs/ext4/super.c b/fs/ext4/super.c
	62	index fefcfa9fe408..6933efbb582f 100644
	63	--- a/fs/ext4/super.c
	64	+++ b/fs/ext4/super.c
	65	@@ -3811,6 +3811,11 @@ static int ext4_fill_super(struct super_block sb, void data, int silent)
	66	} else {
	67	sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
	68	sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
	69	+ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
	70	+ ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
	71	+ sbi->s_first_ino);
	72	+ goto failed_mount;
	73	+ }
	74	if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) \|\|
	75	(!is_power_of_2(sbi->s_inode_size)) \|\|
	76	(sbi->s_inode_size > blocksize)) {
	77	--
	78	2.20.1
	79