From a15e4daaf230378a13a150f53566a7d08bd5f778 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 22 May 2019 10:26:04 +0200 Subject: ext4: CVE-2018-10879 ext4: make sure bitmaps and the inode table don't overlap with bg descriptors Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10879 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=ac93c718365ac6ea9d7631641c8dec867d623491 Change-Id: I6435a39f93026ee8089ce206b4abff9c9344017f Signed-off-by: Andreas Wellving --- ...ure-bitmaps-and-the-inode-table-don-t-ove.patch | 86 ++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 patches/cve/CVE-2018-10879-ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch diff --git a/patches/cve/CVE-2018-10879-ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch b/patches/cve/CVE-2018-10879-ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch new file mode 100644 index 0000000..8972242 --- /dev/null +++ b/patches/cve/CVE-2018-10879-ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch @@ -0,0 +1,86 @@ +From ac93c718365ac6ea9d7631641c8dec867d623491 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 23:08:26 -0400 +Subject: [PATCH] ext4: make sure bitmaps and the inode table don't overlap + with bg descriptors + +commit 77260807d1170a8cf35dbb06e07461a655f67eee upstream. + +It's really bad when the allocation bitmaps and the inode table +overlap with the block group descriptors, since it causes random +corruption of the bg descriptors. So we really want to head those off +at the pass. + +https://bugzilla.kernel.org/show_bug.cgi?id=199865 + +CVE: CVE-2018-10879 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=ac93c718365ac6ea9d7631641c8dec867d623491] + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + fs/ext4/super.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index ec74d06fa24a..3559489a3a99 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2301,6 +2301,7 @@ static int ext4_check_descriptors(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); + ext4_fsblk_t last_block; ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; + ext4_fsblk_t block_bitmap; + ext4_fsblk_t inode_bitmap; + ext4_fsblk_t inode_table; +@@ -2333,6 +2334,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (block_bitmap >= sb_block + 1 && ++ block_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Block bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u not in group " +@@ -2347,6 +2356,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_bitmap >= sb_block + 1 && ++ inode_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u not in group " +@@ -2361,6 +2378,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_table >= sb_block + 1 && ++ inode_table <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode table for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +-- +2.20.1 + -- cgit v1.2.3-54-g00ecf