[natty,natty/ti-omap4,CVE,1/1] ext4: fix undefined behavior in ext4_fill_flex_info()

From: Xi Wang <xi.wang@gmail.com>

Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.

	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
	groups_per_flex = 1 << sbi->s_log_groups_per_flex;

	if (groups_per_flex < 2) { ... }

This patch fixes two potential issues in the previous commit.

1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount.  That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.

2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways.  Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.

	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
	if (groups_per_flex == 0 || groups_per_flex == 1) {

We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original.  GCC keeps the check, but
there is no guarantee that future versions will do the same.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org

(cherry picked from commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b)
CVE-2012-2100
BugLink: http://bugs.launchpad.net/bugs/984757
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/ext4/super.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

On 20.04.2012 10:31, Andy Whitcroft wrote:
> From: Xi Wang <xi.wang@gmail.com>
> 
> Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
> zero when trying to mount a corrupted file system") fixes CVE-2009-4307
> by performing a sanity check on s_log_groups_per_flex, since it can be
> set to a bogus value by an attacker.
> 
> 	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 
> 	if (groups_per_flex < 2) { ... }
> 
> This patch fixes two potential issues in the previous commit.
> 
> 1) The sanity check might only work on architectures like PowerPC.
> On x86, 5 bits are used for the shifting amount.  That means, given a
> large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
> is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
> leaving s_log_groups_per_flex and groups_per_flex inconsistent.
> 
> 2) The sanity check relies on undefined behavior, i.e., oversized shift.
> A standard-confirming C compiler could rewrite the check in unexpected
> ways.  Consider the following equivalent form, assuming groups_per_flex
> is unsigned for simplicity.
> 
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 	if (groups_per_flex == 0 || groups_per_flex == 1) {
> 
> We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
> completely optimize away the check groups_per_flex == 0, leaving the
> patched code as vulnerable as the original.  GCC keeps the check, but
> there is no guarantee that future versions will do the same.
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
> Cc: stable@vger.kernel.org
> 
> (cherry picked from commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b)
> CVE-2012-2100
> BugLink: http://bugs.launchpad.net/bugs/984757
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  fs/ext4/super.c |    7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 64bf573..3878978 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1927,17 +1927,16 @@ static int ext4_fill_flex_info(struct super_block *sb)
>  	struct ext4_group_desc *gdp = NULL;
>  	ext4_group_t flex_group_count;
>  	ext4_group_t flex_group;
> -	int groups_per_flex = 0;
> +	unsigned int groups_per_flex = 0;
>  	size_t size;
>  	int i;
>  
>  	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> -	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> -
> -	if (groups_per_flex < 2) {
> +	if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
>  		sbi->s_log_groups_per_flex = 0;
>  		return 1;
>  	}
> +	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
>  
>  	/* We allocate both existing and potentially added groups */
>  	flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +

Looks to be ok...

On Fri, Apr 20, 2012 at 09:31:21AM +0100, Andy Whitcroft wrote:
> From: Xi Wang <xi.wang@gmail.com>
> 
> Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
> zero when trying to mount a corrupted file system") fixes CVE-2009-4307
> by performing a sanity check on s_log_groups_per_flex, since it can be
> set to a bogus value by an attacker.
> 
> 	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 
> 	if (groups_per_flex < 2) { ... }
> 
> This patch fixes two potential issues in the previous commit.
> 
> 1) The sanity check might only work on architectures like PowerPC.
> On x86, 5 bits are used for the shifting amount.  That means, given a
> large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
> is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
> leaving s_log_groups_per_flex and groups_per_flex inconsistent.
> 
> 2) The sanity check relies on undefined behavior, i.e., oversized shift.
> A standard-confirming C compiler could rewrite the check in unexpected
> ways.  Consider the following equivalent form, assuming groups_per_flex
> is unsigned for simplicity.
> 
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 	if (groups_per_flex == 0 || groups_per_flex == 1) {
> 
> We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
> completely optimize away the check groups_per_flex == 0, leaving the
> patched code as vulnerable as the original.  GCC keeps the check, but
> there is no guarantee that future versions will do the same.
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
> Cc: stable@vger.kernel.org
> 
> (cherry picked from commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b)
> CVE-2012-2100
> BugLink: http://bugs.launchpad.net/bugs/984757
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  fs/ext4/super.c |    7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 64bf573..3878978 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1927,17 +1927,16 @@ static int ext4_fill_flex_info(struct super_block *sb)
>  	struct ext4_group_desc *gdp = NULL;
>  	ext4_group_t flex_group_count;
>  	ext4_group_t flex_group;
> -	int groups_per_flex = 0;
> +	unsigned int groups_per_flex = 0;
>  	size_t size;
>  	int i;
>  
>  	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> -	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> -
> -	if (groups_per_flex < 2) {
> +	if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
>  		sbi->s_log_groups_per_flex = 0;
>  		return 1;
>  	}
> +	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
>  
>  	/* We allocate both existing and potentially added groups */
>  	flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
> -- 
> 1.7.9.5
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

Applied to Natty master-next and ti-omap4