Message ID | 1334910681-6734-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On 20.04.2012 10:31, Andy Whitcroft wrote: > From: Xi Wang <xi.wang@gmail.com> > > Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by > zero when trying to mount a corrupted file system") fixes CVE-2009-4307 > by performing a sanity check on s_log_groups_per_flex, since it can be > set to a bogus value by an attacker. > > sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; > groups_per_flex = 1 << sbi->s_log_groups_per_flex; > > if (groups_per_flex < 2) { ... } > > This patch fixes two potential issues in the previous commit. > > 1) The sanity check might only work on architectures like PowerPC. > On x86, 5 bits are used for the shifting amount. That means, given a > large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36 > is essentially 1 << 4 = 16, rather than 0. This will bypass the check, > leaving s_log_groups_per_flex and groups_per_flex inconsistent. > > 2) The sanity check relies on undefined behavior, i.e., oversized shift. > A standard-confirming C compiler could rewrite the check in unexpected > ways. Consider the following equivalent form, assuming groups_per_flex > is unsigned for simplicity. > > groups_per_flex = 1 << sbi->s_log_groups_per_flex; > if (groups_per_flex == 0 || groups_per_flex == 1) { > > We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will > completely optimize away the check groups_per_flex == 0, leaving the > patched code as vulnerable as the original. GCC keeps the check, but > there is no guarantee that future versions will do the same. > > Signed-off-by: Xi Wang <xi.wang@gmail.com> > Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> > Cc: stable@vger.kernel.org > > (cherry picked from commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b) > CVE-2012-2100 > BugLink: http://bugs.launchpad.net/bugs/984757 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/ext4/super.c | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > > diff --git a/fs/ext4/super.c b/fs/ext4/super.c > index 64bf573..3878978 100644 > --- a/fs/ext4/super.c > +++ b/fs/ext4/super.c > @@ -1927,17 +1927,16 @@ static int ext4_fill_flex_info(struct super_block *sb) > struct ext4_group_desc *gdp = NULL; > ext4_group_t flex_group_count; > ext4_group_t flex_group; > - int groups_per_flex = 0; > + unsigned int groups_per_flex = 0; > size_t size; > int i; > > sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; > - groups_per_flex = 1 << sbi->s_log_groups_per_flex; > - > - if (groups_per_flex < 2) { > + if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) { > sbi->s_log_groups_per_flex = 0; > return 1; > } > + groups_per_flex = 1 << sbi->s_log_groups_per_flex; > > /* We allocate both existing and potentially added groups */ > flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) + Looks to be ok...
On Fri, Apr 20, 2012 at 09:31:21AM +0100, Andy Whitcroft wrote: > From: Xi Wang <xi.wang@gmail.com> > > Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by > zero when trying to mount a corrupted file system") fixes CVE-2009-4307 > by performing a sanity check on s_log_groups_per_flex, since it can be > set to a bogus value by an attacker. > > sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; > groups_per_flex = 1 << sbi->s_log_groups_per_flex; > > if (groups_per_flex < 2) { ... } > > This patch fixes two potential issues in the previous commit. > > 1) The sanity check might only work on architectures like PowerPC. > On x86, 5 bits are used for the shifting amount. That means, given a > large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36 > is essentially 1 << 4 = 16, rather than 0. This will bypass the check, > leaving s_log_groups_per_flex and groups_per_flex inconsistent. > > 2) The sanity check relies on undefined behavior, i.e., oversized shift. > A standard-confirming C compiler could rewrite the check in unexpected > ways. Consider the following equivalent form, assuming groups_per_flex > is unsigned for simplicity. > > groups_per_flex = 1 << sbi->s_log_groups_per_flex; > if (groups_per_flex == 0 || groups_per_flex == 1) { > > We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will > completely optimize away the check groups_per_flex == 0, leaving the > patched code as vulnerable as the original. GCC keeps the check, but > there is no guarantee that future versions will do the same. > > Signed-off-by: Xi Wang <xi.wang@gmail.com> > Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> > Cc: stable@vger.kernel.org > > (cherry picked from commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b) > CVE-2012-2100 > BugLink: http://bugs.launchpad.net/bugs/984757 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/ext4/super.c | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > > diff --git a/fs/ext4/super.c b/fs/ext4/super.c > index 64bf573..3878978 100644 > --- a/fs/ext4/super.c > +++ b/fs/ext4/super.c > @@ -1927,17 +1927,16 @@ static int ext4_fill_flex_info(struct super_block *sb) > struct ext4_group_desc *gdp = NULL; > ext4_group_t flex_group_count; > ext4_group_t flex_group; > - int groups_per_flex = 0; > + unsigned int groups_per_flex = 0; > size_t size; > int i; > > sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; > - groups_per_flex = 1 << sbi->s_log_groups_per_flex; > - > - if (groups_per_flex < 2) { > + if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) { > sbi->s_log_groups_per_flex = 0; > return 1; > } > + groups_per_flex = 1 << sbi->s_log_groups_per_flex; > > /* We allocate both existing and potentially added groups */ > flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) + > -- > 1.7.9.5 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
Applied to Natty master-next and ti-omap4
diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 64bf573..3878978 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1927,17 +1927,16 @@ static int ext4_fill_flex_info(struct super_block *sb) struct ext4_group_desc *gdp = NULL; ext4_group_t flex_group_count; ext4_group_t flex_group; - int groups_per_flex = 0; + unsigned int groups_per_flex = 0; size_t size; int i; sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; - groups_per_flex = 1 << sbi->s_log_groups_per_flex; - - if (groups_per_flex < 2) { + if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) { sbi->s_log_groups_per_flex = 0; return 1; } + groups_per_flex = 1 << sbi->s_log_groups_per_flex; /* We allocate both existing and potentially added groups */ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +