| Message ID | 20180514054146.9438-2-khalid.elmously@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2018-1092 | expand |
On Mon, May 14, 2018 at 01:41:46AM -0400, Khalid Elmously wrote: > From: Theodore Ts'o <tytso@mit.edu> > > CVE-2018-1092 > > If the root directory has an i_links_count of zero, then when the file > system is mounted, then when ext4_fill_super() notices the problem and > tries to call iput() the root directory in the error return path, > ext4_evict_inode() will try to free the inode on disk, before all of > the file system structures are set up, and this will result in an OOPS > caused by a NULL pointer dereference. > > This issue has been assigned CVE-2018-1092. > > https://bugzilla.kernel.org/show_bug.cgi?id=199179 > https://bugzilla.redhat.com/show_bug.cgi?id=1560777 > > Reported-by: Wen Xu <wen.xu@gatech.edu> > Signed-off-by: Theodore Ts'o <tytso@mit.edu> > Cc: stable@vger.kernel.org > (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > fs/ext4/inode.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c > index 3d4d1dccc8a1..398faeff1938 100644 > --- a/fs/ext4/inode.c > +++ b/fs/ext4/inode.c > @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) > goto bad_inode; > raw_inode = ext4_raw_inode(&iloc); > > + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { > + EXT4_ERROR_INODE(inode, "root inode unallocated"); > + ret = -EFSCORRUPTED; > + goto bad_inode; > + } > + > if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { > ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); > if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > > -- > 2.17.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Looks like a sensible early error bail. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On 05/14/18 07:41, Khalid Elmously wrote: > From: Theodore Ts'o <tytso@mit.edu> > > CVE-2018-1092 > > If the root directory has an i_links_count of zero, then when the file > system is mounted, then when ext4_fill_super() notices the problem and > tries to call iput() the root directory in the error return path, > ext4_evict_inode() will try to free the inode on disk, before all of > the file system structures are set up, and this will result in an OOPS > caused by a NULL pointer dereference. > > This issue has been assigned CVE-2018-1092. > > https://bugzilla.kernel.org/show_bug.cgi?id=199179 > https://bugzilla.redhat.com/show_bug.cgi?id=1560777 > > Reported-by: Wen Xu <wen.xu@gatech.edu> > Signed-off-by: Theodore Ts'o <tytso@mit.edu> > Cc: stable@vger.kernel.org > (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Not needed for Xenial, since the fix has already been applied as part of update to 4.4.129 stable release. Thanks, Kleber > --- > fs/ext4/inode.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c > index 3d4d1dccc8a1..398faeff1938 100644 > --- a/fs/ext4/inode.c > +++ b/fs/ext4/inode.c > @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) > goto bad_inode; > raw_inode = ext4_raw_inode(&iloc); > > + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { > + EXT4_ERROR_INODE(inode, "root inode unallocated"); > + ret = -EFSCORRUPTED; > + goto bad_inode; > + } > + > if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { > ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); > if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > >
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 3d4d1dccc8a1..398faeff1938 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) goto bad_inode; raw_inode = ext4_raw_inode(&iloc); + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { + EXT4_ERROR_INODE(inode, "root inode unallocated"); + ret = -EFSCORRUPTED; + goto bad_inode; + } + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >