[T/X/A/B/C,1/1] ext4: fail ext4_iget for root directory if unallocated

Message ID 20180514054146.9438-2-khalid.elmously@canonical.com
State New
Headers show
Series
  • CVE-2018-1092
Related show

Commit Message

Khaled Elmously May 14, 2018, 5:41 a.m.
From: Theodore Ts'o <tytso@mit.edu>

CVE-2018-1092

If the root directory has an i_links_count of zero, then when the file
system is mounted, then when ext4_fill_super() notices the problem and
tries to call iput() the root directory in the error return path,
ext4_evict_inode() will try to free the inode on disk, before all of
the file system structures are set up, and this will result in an OOPS
caused by a NULL pointer dereference.

This issue has been assigned CVE-2018-1092.

https://bugzilla.kernel.org/show_bug.cgi?id=199179
https://bugzilla.redhat.com/show_bug.cgi?id=1560777

Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
(cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 fs/ext4/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Andy Whitcroft May 14, 2018, 9:43 a.m. | #1
On Mon, May 14, 2018 at 01:41:46AM -0400, Khalid Elmously wrote:
> From: Theodore Ts'o <tytso@mit.edu>
> 
> CVE-2018-1092
> 
> If the root directory has an i_links_count of zero, then when the file
> system is mounted, then when ext4_fill_super() notices the problem and
> tries to call iput() the root directory in the error return path,
> ext4_evict_inode() will try to free the inode on disk, before all of
> the file system structures are set up, and this will result in an OOPS
> caused by a NULL pointer dereference.
> 
> This issue has been assigned CVE-2018-1092.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=199179
> https://bugzilla.redhat.com/show_bug.cgi?id=1560777
> 
> Reported-by: Wen Xu <wen.xu@gatech.edu>
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> Cc: stable@vger.kernel.org
> (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>  fs/ext4/inode.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 3d4d1dccc8a1..398faeff1938 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
>  		goto bad_inode;
>  	raw_inode = ext4_raw_inode(&iloc);
>  
> +	if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
> +		EXT4_ERROR_INODE(inode, "root inode unallocated");
> +		ret = -EFSCORRUPTED;
> +		goto bad_inode;
> +	}
> +
>  	if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
>  		ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
>  		if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
> -- 
> 2.17.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Looks like a sensible early error bail.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
Kleber Souza May 16, 2018, 1:47 p.m. | #2
On 05/14/18 07:41, Khalid Elmously wrote:
> From: Theodore Ts'o <tytso@mit.edu>
> 
> CVE-2018-1092
> 
> If the root directory has an i_links_count of zero, then when the file
> system is mounted, then when ext4_fill_super() notices the problem and
> tries to call iput() the root directory in the error return path,
> ext4_evict_inode() will try to free the inode on disk, before all of
> the file system structures are set up, and this will result in an OOPS
> caused by a NULL pointer dereference.
> 
> This issue has been assigned CVE-2018-1092.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=199179
> https://bugzilla.redhat.com/show_bug.cgi?id=1560777
> 
> Reported-by: Wen Xu <wen.xu@gatech.edu>
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> Cc: stable@vger.kernel.org
> (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

Not needed for Xenial, since the fix has already been applied as part of
update to 4.4.129 stable release.


Thanks,
Kleber

> ---
>  fs/ext4/inode.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 3d4d1dccc8a1..398faeff1938 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
>  		goto bad_inode;
>  	raw_inode = ext4_raw_inode(&iloc);
>  
> +	if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
> +		EXT4_ERROR_INODE(inode, "root inode unallocated");
> +		ret = -EFSCORRUPTED;
> +		goto bad_inode;
> +	}
> +
>  	if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
>  		ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
>  		if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
>

Patch

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 3d4d1dccc8a1..398faeff1938 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4745,6 +4745,12 @@  struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
 		goto bad_inode;
 	raw_inode = ext4_raw_inode(&iloc);
 
+	if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+		EXT4_ERROR_INODE(inode, "root inode unallocated");
+		ret = -EFSCORRUPTED;
+		goto bad_inode;
+	}
+
 	if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
 		ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
 		if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >