Message ID | 1532444437-21621-2-git-send-email-paolo.pisati@canonical.com |
---|---|
State | New |
Headers | show |
Series | ext4: verify the depth of extent tree in ext4_find_extent() | expand |
On 24.07.2018 17:00, Paolo Pisati wrote: > From: Theodore Ts'o <tytso@mit.edu> > > CVE-2018-10877 > > If there is a corupted file system where the claimed depth of the > extent tree is -1, this can cause a massive buffer overrun leading to > sadness. > > This addresses CVE-2018-10877. > > https://bugzilla.kernel.org/show_bug.cgi?id=199417 > > Signed-off-by: Theodore Ts'o <tytso@mit.edu> > Cc: stable@kernel.org > (backported from commit bc890a60247171294acc0bd67d211fa4b88d40ba) > Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/ext4/ext4_extents.h | 1 + > fs/ext4/extents.c | 6 ++++++ > 2 files changed, 7 insertions(+) > > diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h > index 5074fe2..9c72cc3 100644 > --- a/fs/ext4/ext4_extents.h > +++ b/fs/ext4/ext4_extents.h > @@ -103,6 +103,7 @@ struct ext4_extent_header { > }; > > #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) > +#define EXT4_MAX_EXTENT_DEPTH 5 > > #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ > (sizeof(struct ext4_extent_header) + \ > diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c > index 871070d..4b5c5c7 100644 > --- a/fs/ext4/extents.c > +++ b/fs/ext4/extents.c > @@ -847,6 +847,12 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block, > > eh = ext_inode_hdr(inode); > depth = ext_depth(inode); > + if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { > + EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", > + depth); > + ret = -EIO; > + goto err; > + } > > /* account possible depth increase */ > if (!path) { >
diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h index 5074fe2..9c72cc3 100644 --- a/fs/ext4/ext4_extents.h +++ b/fs/ext4/ext4_extents.h @@ -103,6 +103,7 @@ struct ext4_extent_header { }; #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) +#define EXT4_MAX_EXTENT_DEPTH 5 #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ (sizeof(struct ext4_extent_header) + \ diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 871070d..4b5c5c7 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -847,6 +847,12 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block, eh = ext_inode_hdr(inode); depth = ext_depth(inode); + if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { + EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", + depth); + ret = -EIO; + goto err; + } /* account possible depth increase */ if (!path) {