]>
Commit | Line | Data |
---|---|---|
fbc4be2a GKH |
1 | From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001 |
2 | From: Sriram Rajagopalan <sriramr@arista.com> | |
3 | Date: Fri, 10 May 2019 19:28:06 -0400 | |
4 | Subject: ext4: zero out the unused memory region in the extent tree block | |
5 | ||
6 | From: Sriram Rajagopalan <sriramr@arista.com> | |
7 | ||
8 | commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. | |
9 | ||
10 | This commit zeroes out the unused memory region in the buffer_head | |
11 | corresponding to the extent metablock after writing the extent header | |
12 | and the corresponding extent node entries. | |
13 | ||
14 | This is done to prevent random uninitialized data from getting into | |
15 | the filesystem when the extent block is synced. | |
16 | ||
17 | This fixes CVE-2019-11833. | |
18 | ||
19 | Signed-off-by: Sriram Rajagopalan <sriramr@arista.com> | |
20 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | |
21 | Cc: stable@kernel.org | |
22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
23 | ||
24 | --- | |
25 | fs/ext4/extents.c | 17 +++++++++++++++-- | |
26 | 1 file changed, 15 insertions(+), 2 deletions(-) | |
27 | ||
28 | --- a/fs/ext4/extents.c | |
29 | +++ b/fs/ext4/extents.c | |
30 | @@ -1049,6 +1049,7 @@ static int ext4_ext_split(handle_t *hand | |
31 | __le32 border; | |
32 | ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ | |
33 | int err = 0; | |
34 | + size_t ext_size = 0; | |
35 | ||
36 | /* make decision: where to split? */ | |
37 | /* FIXME: now decision is simplest: at current extent */ | |
38 | @@ -1140,6 +1141,10 @@ static int ext4_ext_split(handle_t *hand | |
39 | le16_add_cpu(&neh->eh_entries, m); | |
40 | } | |
41 | ||
42 | + /* zero out unused area in the extent block */ | |
43 | + ext_size = sizeof(struct ext4_extent_header) + | |
44 | + sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); | |
45 | + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); | |
46 | ext4_extent_block_csum_set(inode, neh); | |
47 | set_buffer_uptodate(bh); | |
48 | unlock_buffer(bh); | |
49 | @@ -1219,6 +1224,11 @@ static int ext4_ext_split(handle_t *hand | |
50 | sizeof(struct ext4_extent_idx) * m); | |
51 | le16_add_cpu(&neh->eh_entries, m); | |
52 | } | |
53 | + /* zero out unused area in the extent block */ | |
54 | + ext_size = sizeof(struct ext4_extent_header) + | |
55 | + (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); | |
56 | + memset(bh->b_data + ext_size, 0, | |
57 | + inode->i_sb->s_blocksize - ext_size); | |
58 | ext4_extent_block_csum_set(inode, neh); | |
59 | set_buffer_uptodate(bh); | |
60 | unlock_buffer(bh); | |
61 | @@ -1284,6 +1294,7 @@ static int ext4_ext_grow_indepth(handle_ | |
62 | ext4_fsblk_t newblock, goal = 0; | |
63 | struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; | |
64 | int err = 0; | |
65 | + size_t ext_size = 0; | |
66 | ||
67 | /* Try to prepend new index to old one */ | |
68 | if (ext_depth(inode)) | |
69 | @@ -1309,9 +1320,11 @@ static int ext4_ext_grow_indepth(handle_ | |
70 | goto out; | |
71 | } | |
72 | ||
73 | + ext_size = sizeof(EXT4_I(inode)->i_data); | |
74 | /* move top-level index/leaf into new block */ | |
75 | - memmove(bh->b_data, EXT4_I(inode)->i_data, | |
76 | - sizeof(EXT4_I(inode)->i_data)); | |
77 | + memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); | |
78 | + /* zero out unused area in the extent block */ | |
79 | + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); | |
80 | ||
81 | /* set size of new block */ | |
82 | neh = ext_block_hdr(bh); |