ext4: verify the depth of extent tree in ext4_find_extent()

Message ID	1532444437-21621-2-git-send-email-paolo.pisati@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Paolo Pisati <paolo.pisati@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent() Date: Tue, 24 Jul 2018 17:00:37 +0200 Message-Id: <1532444437-21621-2-git-send-email-paolo.pisati@canonical.com> In-Reply-To: <1532444437-21621-1-git-send-email-paolo.pisati@canonical.com> References: <1532444437-21621-1-git-send-email-paolo.pisati@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	ext4: verify the depth of extent tree in ext4_find_extent() \| expand ext4: verify the depth of extent tree in ext4_find_extent()

Message ID

1532444437-21621-2-git-send-email-paolo.pisati@canonical.com

State

New

Headers

From: Paolo Pisati <paolo.pisati@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent()
Date: Tue, 24 Jul 2018 17:00:37 +0200
Message-Id: <1532444437-21621-2-git-send-email-paolo.pisati@canonical.com>
In-Reply-To: <1532444437-21621-1-git-send-email-paolo.pisati@canonical.com>
References: <1532444437-21621-1-git-send-email-paolo.pisati@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

ext4: verify the depth of extent tree in ext4_find_extent() | expand

Commit Message

Paolo Pisati July 24, 2018, 3 p.m. UTC

From: Theodore Ts'o <tytso@mit.edu>

CVE-2018-10877

If there is a corupted file system where the claimed depth of the
extent tree is -1, this can cause a massive buffer overrun leading to
sadness.

This addresses CVE-2018-10877.

https://bugzilla.kernel.org/show_bug.cgi?id=199417

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
(backported from commit bc890a60247171294acc0bd67d211fa4b88d40ba)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
---
 fs/ext4/ext4_extents.h | 1 +
 fs/ext4/extents.c      | 6 ++++++
 2 files changed, 7 insertions(+)

Comments

Stefan Bader July 25, 2018, 3:19 p.m. UTC | #1

On 24.07.2018 17:00, Paolo Pisati wrote:
> From: Theodore Ts'o <tytso@mit.edu>
> 
> CVE-2018-10877
> 
> If there is a corupted file system where the claimed depth of the
> extent tree is -1, this can cause a massive buffer overrun leading to
> sadness.
> 
> This addresses CVE-2018-10877.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=199417
> 
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> Cc: stable@kernel.org
> (backported from commit bc890a60247171294acc0bd67d211fa4b88d40ba)
> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  fs/ext4/ext4_extents.h | 1 +
>  fs/ext4/extents.c      | 6 ++++++
>  2 files changed, 7 insertions(+)
> 
> diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
> index 5074fe2..9c72cc3 100644
> --- a/fs/ext4/ext4_extents.h
> +++ b/fs/ext4/ext4_extents.h
> @@ -103,6 +103,7 @@ struct ext4_extent_header {
>  };
>  
>  #define EXT4_EXT_MAGIC		cpu_to_le16(0xf30a)
> +#define EXT4_MAX_EXTENT_DEPTH 5
>  
>  #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
>  	(sizeof(struct ext4_extent_header) + \
> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
> index 871070d..4b5c5c7 100644
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -847,6 +847,12 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block,
>  
>  	eh = ext_inode_hdr(inode);
>  	depth = ext_depth(inode);
> +	if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
> +		EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
> +				 depth);
> +		ret = -EIO;
> +		goto err;
> +	}
>  
>  	/* account possible depth increase */
>  	if (!path) {
>

diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
index 5074fe2..9c72cc3 100644
--- a/fs/ext4/ext4_extents.h
+++ b/fs/ext4/ext4_extents.h
@@ -103,6 +103,7 @@  struct ext4_extent_header {
 };
 
 #define EXT4_EXT_MAGIC		cpu_to_le16(0xf30a)
+#define EXT4_MAX_EXTENT_DEPTH 5
 
 #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
 	(sizeof(struct ext4_extent_header) + \
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 871070d..4b5c5c7 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -847,6 +847,12 @@  ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block,
 
 	eh = ext_inode_hdr(inode);
 	depth = ext_depth(inode);
+	if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
+		EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
+				 depth);
+		ret = -EIO;
+		goto err;
+	}
 
 	/* account possible depth increase */
 	if (!path) {

ext4: verify the depth of extent tree in ext4_find_extent()

Commit Message

Comments

Patch