--- /dev/null
+From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 26 Mar 2018 23:54:10 -0400
+Subject: ext4: add validity checks for bitmap block numbers
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream.
+
+An privileged attacker can cause a crash by mounting a crafted ext4
+image which triggers a out-of-bounds read in the function
+ext4_valid_block_bitmap() in fs/ext4/balloc.c.
+
+This issue has been assigned CVE-2018-1093.
+
+Backport notes:
+3.18.y is missing commit 6a797d273783 ("ext4: call out CRC and corruption errors with specific error codes")
+so the EFSCORRUPTED label doesn't exist. Replaced
+all instances of EFSCORRUPTED with EUCLEAN since that's
+what 6a797d273783 defined it as.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+[harsh@prjkt.io: s/EFSCORRUPTED/EUCLEAN/ fs/ext4/balloc.c]
+Signed-off-by: Harsh Shandilya <harsh@prjkt.io>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/balloc.c | 16 ++++++++++++++--
+ fs/ext4/ialloc.c | 8 +++++++-
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -340,20 +340,25 @@ static ext4_fsblk_t ext4_valid_block_bit
+ /* check whether block bitmap block number is set */
+ blk = ext4_block_bitmap(sb, desc);
+ offset = blk - group_first_block;
+- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ /* bad block bitmap */
+ return blk;
+
+ /* check whether the inode bitmap block number is set */
+ blk = ext4_inode_bitmap(sb, desc);
+ offset = blk - group_first_block;
+- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ /* bad block bitmap */
+ return blk;
+
+ /* check whether the inode table block number is set */
+ blk = ext4_inode_table(sb, desc);
+ offset = blk - group_first_block;
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
++ return blk;
+ next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
+ EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
+ EXT4_B2C(sbi, offset));
+@@ -416,6 +421,7 @@ struct buffer_head *
+ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
+ {
+ struct ext4_group_desc *desc;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct buffer_head *bh;
+ ext4_fsblk_t bitmap_blk;
+
+@@ -423,6 +429,12 @@ ext4_read_block_bitmap_nowait(struct sup
+ if (!desc)
+ return NULL;
+ bitmap_blk = ext4_block_bitmap(sb, desc);
++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
++ ext4_error(sb, "Invalid block bitmap block %llu in "
++ "block_group %u", bitmap_blk, block_group);
++ return ERR_PTR(-EUCLEAN);
++ }
+ bh = sb_getblk(sb, bitmap_blk);
+ if (unlikely(!bh)) {
+ ext4_error(sb, "Cannot get buffer for block bitmap - "
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -123,16 +123,22 @@ static struct buffer_head *
+ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
+ {
+ struct ext4_group_desc *desc;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct buffer_head *bh = NULL;
+ ext4_fsblk_t bitmap_blk;
+ struct ext4_group_info *grp;
+- struct ext4_sb_info *sbi = EXT4_SB(sb);
+
+ desc = ext4_get_group_desc(sb, block_group, NULL);
+ if (!desc)
+ return NULL;
+
+ bitmap_blk = ext4_inode_bitmap(sb, desc);
++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
++ ext4_error(sb, "Invalid inode bitmap blk %llu in "
++ "block_group %u", bitmap_blk, block_group);
++ return ERR_PTR(-EUCLEAN);
++ }
+ bh = sb_getblk(sb, bitmap_blk);
+ if (unlikely(!bh)) {
+ ext4_error(sb, "Cannot read inode bitmap - "
--- /dev/null
+From 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 29 Mar 2018 22:10:35 -0400
+Subject: ext4: don't allow r/w mounts if metadata blocks overlap the superblock
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957 upstream.
+
+If some metadata block, such as an allocation bitmap, overlaps the
+superblock, it's very likely that if the file system is mounted
+read/write, the results will not be pretty. So disallow r/w mounts
+for file systems corrupted in this particular way.
+
+Backport notes:
+3.18.y is missing bc98a42c1f7d ("VFS: Convert sb->s_flags & MS_RDONLY to sb_rdonly(sb)")
+and e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags")
+so we simply use the sb MS_RDONLY check from pre bc98a42c1f7d in place of the sb_rdonly
+function used in the upstream variant of the patch.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Harsh Shandilya <harsh@prjkt.io>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2093,6 +2093,8 @@ static int ext4_check_descriptors(struct
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Block bitmap for group %u overlaps "
+ "superblock", i);
++ if (!(sb->s_flags & MS_RDONLY))
++ return 0;
+ }
+ if (block_bitmap < first_block || block_bitmap > last_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+@@ -2105,6 +2107,8 @@ static int ext4_check_descriptors(struct
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode bitmap for group %u overlaps "
+ "superblock", i);
++ if (!(sb->s_flags & MS_RDONLY))
++ return 0;
+ }
+ if (inode_bitmap < first_block || inode_bitmap > last_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+@@ -2117,6 +2121,8 @@ static int ext4_check_descriptors(struct
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode table for group %u overlaps "
+ "superblock", i);
++ if (!(sb->s_flags & MS_RDONLY))
++ return 0;
+ }
+ if (inode_table < first_block ||
+ inode_table + sbi->s_itb_per_group - 1 > last_block) {
--- /dev/null
+From 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 29 Mar 2018 21:56:09 -0400
+Subject: ext4: fail ext4_iget for root directory if unallocated
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream.
+
+If the root directory has an i_links_count of zero, then when the file
+system is mounted, then when ext4_fill_super() notices the problem and
+tries to call iput() the root directory in the error return path,
+ext4_evict_inode() will try to free the inode on disk, before all of
+the file system structures are set up, and this will result in an OOPS
+caused by a NULL pointer dereference.
+
+This issue has been assigned CVE-2018-1092.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199179
+https://bugzilla.redhat.com/show_bug.cgi?id=1560777
+
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+[harsh@prjkt.io: s/EFSCORRUPTED/EUCLEAN/ fs/ext4/inode.c]
+Signed-off-by: Harsh Shandilya <harsh@prjkt.io>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3975,6 +3975,12 @@ struct inode *ext4_iget(struct super_blo
+ goto bad_inode;
+ raw_inode = ext4_raw_inode(&iloc);
+
++ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
++ EXT4_ERROR_INODE(inode, "root inode unallocated");
++ ret = -EUCLEAN;
++ goto bad_inode;
++ }
++
+ if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
+ ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
+ if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
projects / thirdparty / kernel / stable-queue.git / commitdiff
