From patchwork Thu Nov 5 00:59:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kelsey Skunberg X-Patchwork-Id: 1394657 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CRQCM6VL9z9sVK; Thu, 5 Nov 2020 11:59:27 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kaTcY-0005SU-G0; Thu, 05 Nov 2020 00:59:22 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kaTcW-0005S7-Fw for kernel-team@lists.ubuntu.com; Thu, 05 Nov 2020 00:59:20 +0000 Received: from mail-ot1-f71.google.com ([209.85.210.71]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kaTcW-0008NX-51 for kernel-team@lists.ubuntu.com; Thu, 05 Nov 2020 00:59:20 +0000 Received: by mail-ot1-f71.google.com with SMTP id e31so218463ote.0 for ; Wed, 04 Nov 2020 16:59:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=8f7AgufeWXpKkZOnW2IROGXNP3+rgkxVqFRwGtkN1IU=; b=RmbcgEZ0oyuJcT9M59VzVbtE5g2yLkZaOw2kxlpX5a8beAzJZLc/fOZwr/Lr1DSiW3 OsIjMVp1Uu+KaNlZXAu45MjaaeCtfvg69nZA3UqyH0LhAHYVL9Yd3HcfTE5hI7g9sOXe 0rB+FlMnB6i8If5UrC1mfigAXo+0R3QNFXlmZTMC65iZARW6PATYgM5jTdU/yUf1D70J +ukudMAvxg5nhv/l/4A2xOfue3PBnIOV+YIcbTMvfzer79d3TAk+gFgWZYj1R8Ix2FVb VbGIdDsRfqCCypIBAosaS4eoMnFSbZJBM03xqitWWwVOxsGizwHF/7y+zTte7orXFGdV 3PQw== X-Gm-Message-State: AOAM533uMLs8i6w1tevtrLO+ECgjpY+n6YJDmPN3uVfgIFqA8IzQfWW4 LpBASvzdaXe3a0TCmJuGVwyWUXleX5RZBP0yHLMzrRBgb23bZZx1qttZCpnntH009HvqSi5zjvT oJFTiCttfQ2QNizvSC4zs6HWoDK//JfH7EhmADz8+Zw== X-Received: by 2002:a9d:6290:: with SMTP id x16mr11001otk.15.1604537958911; Wed, 04 Nov 2020 16:59:18 -0800 (PST) X-Google-Smtp-Source: ABdhPJwf+KdhkkpdlCefQ6S1JaUuBVdtqmI2f4y15OHOpz00wnCzehHay+Vnv0EulRbd3epRQLiisA== X-Received: by 2002:a9d:6290:: with SMTP id x16mr10990otk.15.1604537958656; Wed, 04 Nov 2020 16:59:18 -0800 (PST) Received: from localhost.localdomain ([38.80.149.171]) by smtp.gmail.com with ESMTPSA id i12sm986600oon.26.2020.11.04.16.59.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Nov 2020 16:59:18 -0800 (PST) From: Kelsey Skunberg To: kernel-team@lists.ubuntu.com Subject: [SRU][B/hwe][CVE-2020-14314][PATCH 1/1] ext4: fix potential negative array index in do_split() Date: Wed, 4 Nov 2020 17:59:16 -0700 Message-Id: <20201105005916.182248-2-kelsey.skunberg@canonical.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201105005916.182248-1-kelsey.skunberg@canonical.com> References: <20201105005916.182248-1-kelsey.skunberg@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Sandeen If for any reason a directory passed to do_split() does not have enough active entries to exceed half the size of the block, we can end up iterating over all "count" entries without finding a split point. In this case, count == move, and split will be zero, and we will attempt a negative index into map[]. Guard against this by detecting this case, and falling back to split-to-half-of-count instead; in this case we will still have plenty of space (> half blocksize) in each split block. Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks") Signed-off-by: Eric Sandeen Reviewed-by: Andreas Dilger Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com Signed-off-by: Theodore Ts'o CVE-2020-14314 (cherry picked from commit 5872331b3d91820e14716632ebb56b1399b34fe1) Signed-off-by: Kelsey Skunberg --- fs/ext4/namei.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 5e1bdfb7ba9d..0b9eece14c8b 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1852,7 +1852,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, blocksize, hinfo, map); map -= count; dx_sort_map(map, count); - /* Split the existing block in the middle, size-wise */ + /* Ensure that neither split block is over half full */ size = 0; move = 0; for (i = count-1; i >= 0; i--) { @@ -1862,8 +1862,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, size += map[i].size; move++; } - /* map index at which we will split */ - split = count - move; + /* + * map index at which we will split + * + * If the sum of active entries didn't exceed half the block size, just + * split it in half by count; each resulting block will have at least + * half the space free. + */ + if (i > 0) + split = count - move; + else + split = count/2; + hash2 = map[split].hash; continued = hash2 == map[split - 1].hash; dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n",