diff mbox series

ext4: clear i_data in ext4_inode_info when removing inline data

Message ID 1532450283-31971-2-git-send-email-paolo.pisati@canonical.com
State New
Headers show
Series ext4: clear i_data in ext4_inode_info when removing inline data | expand

Commit Message

Paolo Pisati July 24, 2018, 4:38 p.m. UTC 
From: Theodore Ts'o <tytso@mit.edu>

CVE-2018-10881

When converting from an inode from storing the data in-line to a data
block, ext4_destroy_inline_data_nolock() was only clearing the on-disk
copy of the i_blocks[] array.  It was not clearing copy of the
i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually
used by ext4_map_blocks().

This didn't matter much if we are using extents, since the extents
header would be invalid and thus the extents could would re-initialize
the extents tree.  But if we are using indirect blocks, the previous
contents of the i_blocks array will be treated as block numbers, with
potentially catastrophic results to the file system integrity and/or
user data.

This gets worse if the file system is using a 1k block size and
s_first_data is zero, but even without this, the file system can get
quite badly corrupted.

This addresses CVE-2018-10881.

https://bugzilla.kernel.org/show_bug.cgi?id=200015

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
(cherry picked from commit 6e8ab72a812396996035a37e5ca4b3b99b5d214b)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
---
 fs/ext4/inline.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Stefan Bader July 25, 2018, 2:56 p.m. UTC | #1 
On 24.07.2018 18:38, Paolo Pisati wrote:
> From: Theodore Ts'o <tytso@mit.edu>
> 
> CVE-2018-10881
> 
> When converting from an inode from storing the data in-line to a data
> block, ext4_destroy_inline_data_nolock() was only clearing the on-disk
> copy of the i_blocks[] array.  It was not clearing copy of the
> i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually
> used by ext4_map_blocks().
> 
> This didn't matter much if we are using extents, since the extents
> header would be invalid and thus the extents could would re-initialize
> the extents tree.  But if we are using indirect blocks, the previous
> contents of the i_blocks array will be treated as block numbers, with
> potentially catastrophic results to the file system integrity and/or
> user data.
> 
> This gets worse if the file system is using a 1k block size and
> s_first_data is zero, but even without this, the file system can get
> quite badly corrupted.
> 
> This addresses CVE-2018-10881.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=200015
> 
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> Cc: stable@kernel.org
> (cherry picked from commit 6e8ab72a812396996035a37e5ca4b3b99b5d214b)
> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---

For Xenial, this would be also part of 4.4.140 once we get there...

>  fs/ext4/inline.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
> index 3af1fc4..790808b 100644
> --- a/fs/ext4/inline.c
> +++ b/fs/ext4/inline.c
> @@ -434,6 +434,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
>  
>  	memset((void *)ext4_raw_inode(&is.iloc)->i_block,
>  		0, EXT4_MIN_INLINE_DATA_SIZE);
> +	memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE);
>  
>  	if (EXT4_HAS_INCOMPAT_FEATURE(inode->i_sb,
>  				      EXT4_FEATURE_INCOMPAT_EXTENTS)) {
>
diff mbox series

Patch

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 3af1fc4..790808b 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -434,6 +434,7 @@  static int ext4_destroy_inline_data_nolock(handle_t *handle,
 
 	memset((void *)ext4_raw_inode(&is.iloc)->i_block,
 		0, EXT4_MIN_INLINE_DATA_SIZE);
+	memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE);
 
 	if (EXT4_HAS_INCOMPAT_FEATURE(inode->i_sb,
 				      EXT4_FEATURE_INCOMPAT_EXTENTS)) {