From patchwork Wed Sep 2 19:41:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: William Breathitt Gray X-Patchwork-Id: 1356078 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BhZBN14N0z9sV1; Thu, 3 Sep 2020 05:43:55 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kDYfg-0003rl-Mz; Wed, 02 Sep 2020 19:43:52 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kDYfd-0003qO-MD for kernel-team@lists.ubuntu.com; Wed, 02 Sep 2020 19:43:49 +0000 Received: from mail-qt1-f199.google.com ([209.85.160.199]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kDYfd-0004n5-AC for kernel-team@lists.ubuntu.com; Wed, 02 Sep 2020 19:43:49 +0000 Received: by mail-qt1-f199.google.com with SMTP id r9so555950qtp.7 for ; Wed, 02 Sep 2020 12:43:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KbrPJYp7Fmjai/bLimJSVaQ+2hDHK7BOZA8dFT5clCI=; b=Lc3D0br8B8maj4BBYbg9uIF23+lM1T3/4Uu5V7sGf0hfcCj/P16Vtwjrs0AAObsGH2 IK0xhnAbPhs+4LKxF8Uyb7rlg31K2isfzLVXbHWQsM0bvYtgennuVVhH+mwbx+CCK65F mPifdPWnWQ2XGpl7UUhYZZAcmYvqPsO4EF1Vc7RFuXti1xfUqKVj01VPSFZdvDtANQH6 ohND5HHWlndQHRVOnmYqp7vDKDBugVTn1sdK5n5hy53Sjc9gOY+24gwSqcY6Jzfrj1ZQ L0RFCPBLhk5aAvRFNun/gTXlt8YBS9AYOQVm4NzZuMKClGP0Aviy73Wi9YkCan0tZ3id XaKA== X-Gm-Message-State: AOAM531B1+scFU5Gta4uo4oQn8voYb6KaiSiQJTYdDxSLIbfTGv/0Huq e/XWPeirrBVx2A0YlXCdwlKYyH5P9z960ER04j3dTRLwLJl1i9VXTWLEZMgsLvITFnQdAT5VLtk EmLpYp0alDZDFFcqfIT5SfHpSylT9lFy0a66hRnT6EQ== X-Received: by 2002:a0c:fdc4:: with SMTP id g4mr8506307qvs.30.1599075828070; Wed, 02 Sep 2020 12:43:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJ+W321m9D0ZxsXNho9liqkQNYgL8mczrZyxJ8nrZSkLCUFPVFpJbwEVtVd1Qn6fayjSKVeQ== X-Received: by 2002:a0c:fdc4:: with SMTP id g4mr8506292qvs.30.1599075827863; Wed, 02 Sep 2020 12:43:47 -0700 (PDT) Received: from localhost.localdomain (072-189-064-225.res.spectrum.com. [72.189.64.225]) by smtp.gmail.com with ESMTPSA id k63sm478635qkf.33.2020.09.02.12.43.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Sep 2020 12:43:47 -0700 (PDT) From: William Breathitt Gray To: kernel-team@lists.ubuntu.com Subject: [SRU][XENIAL][CVE-2018-10322][PATCH v2 2/4] xfs: sanity check directory inode di_size Date: Wed, 2 Sep 2020 15:41:36 -0400 Message-Id: <20200902194139.67480-3-william.gray@canonical.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200902194139.67480-1-william.gray@canonical.com> References: <20200902194139.67480-1-william.gray@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Amir Goldstein This changes fixes an assertion hit when fuzzing on-disk i_mode values. The easy case to fix is when changing an empty file i_mode to S_IFDIR. In this case, xfs_dinode_verify() detects an illegal zero size for directory and fails to load the inode structure from disk. For the case of non empty file whose i_mode is changed to S_IFDIR, the ASSERT() statement in xfs_dir2_isblock() is replaced with return -EFSCORRUPTED, to avoid interacting with corrupted jusk also when XFS_DEBUG is disabled. Suggested-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Amir Goldstein Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong CVE-2018-10322 (backported from commit 3c6f46eacd876bd723a9bad3c6882714c052fd8e) [ vilhelmgray: context adjustment ] Signed-off-by: William Breathitt Gray --- fs/xfs/libxfs/xfs_dir2.c | 3 ++- fs/xfs/libxfs/xfs_inode_buf.c | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/fs/xfs/libxfs/xfs_dir2.c b/fs/xfs/libxfs/xfs_dir2.c index 2fb53a5c0a74..8441a1b41a82 100644 --- a/fs/xfs/libxfs/xfs_dir2.c +++ b/fs/xfs/libxfs/xfs_dir2.c @@ -630,7 +630,8 @@ xfs_dir2_isblock( if ((rval = xfs_bmap_last_offset(args->dp, &last, XFS_DATA_FORK))) return rval; rval = XFS_FSB_TO_B(args->dp->i_mount, last) == args->geo->blksize; - ASSERT(rval == 0 || args->dp->i_d.di_size == args->geo->blksize); + if (rval != 0 && args->dp->i_d.di_size != args->geo->blksize) + return -EFSCORRUPTED; *vp = rval; return 0; } diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c index bcf233337724..20fcace5fecc 100644 --- a/fs/xfs/libxfs/xfs_inode_buf.c +++ b/fs/xfs/libxfs/xfs_inode_buf.c @@ -296,6 +296,8 @@ xfs_dinode_verify( xfs_ino_t ino, struct xfs_dinode *dip) { + uint16_t mode; + if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC)) return false; @@ -303,8 +305,10 @@ xfs_dinode_verify( if (be64_to_cpu(dip->di_size) & (1ULL << 63)) return false; - /* No zero-length symlinks. */ - if (S_ISLNK(be16_to_cpu(dip->di_mode)) && dip->di_size == 0) + mode = be16_to_cpu(dip->di_mode); + + /* No zero-length symlinks/dirs. */ + if ((S_ISLNK(mode) || S_ISDIR(mode)) && dip->di_size == 0) return false; /* only version 3 or greater inodes are extensively verified here */