From: Greg Kroah-Hartman Date: Sun, 22 Apr 2018 07:30:13 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.106~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=331257b87d76ac4362f2096b546af44f8f0b1723;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ext4-add-validity-checks-for-bitmap-block-numbers.patch ext4-don-t-allow-r-w-mounts-if-metadata-blocks-overlap-the-superblock.patch ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch --- diff --git a/queue-3.18/ext4-add-validity-checks-for-bitmap-block-numbers.patch b/queue-3.18/ext4-add-validity-checks-for-bitmap-block-numbers.patch new file mode 100644 index 00000000000..2a0ae4a875a --- /dev/null +++ b/queue-3.18/ext4-add-validity-checks-for-bitmap-block-numbers.patch @@ -0,0 +1,111 @@ +From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 26 Mar 2018 23:54:10 -0400 +Subject: ext4: add validity checks for bitmap block numbers + +From: Theodore Ts'o + +commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. + +An privileged attacker can cause a crash by mounting a crafted ext4 +image which triggers a out-of-bounds read in the function +ext4_valid_block_bitmap() in fs/ext4/balloc.c. + +This issue has been assigned CVE-2018-1093. + +Backport notes: +3.18.y is missing commit 6a797d273783 ("ext4: call out CRC and corruption errors with specific error codes") +so the EFSCORRUPTED label doesn't exist. Replaced +all instances of EFSCORRUPTED with EUCLEAN since that's +what 6a797d273783 defined it as. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 +Reported-by: Wen Xu +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +[harsh@prjkt.io: s/EFSCORRUPTED/EUCLEAN/ fs/ext4/balloc.c] +Signed-off-by: Harsh Shandilya +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/balloc.c | 16 ++++++++++++++-- + fs/ext4/ialloc.c | 8 +++++++- + 2 files changed, 21 insertions(+), 3 deletions(-) + +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -340,20 +340,25 @@ static ext4_fsblk_t ext4_valid_block_bit + /* check whether block bitmap block number is set */ + blk = ext4_block_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode bitmap block number is set */ + blk = ext4_inode_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode table block number is set */ + blk = ext4_inode_table(sb, desc); + offset = blk - group_first_block; ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || ++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) ++ return blk; + next_zero_bit = ext4_find_next_zero_bit(bh->b_data, + EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), + EXT4_B2C(sbi, offset)); +@@ -416,6 +421,7 @@ struct buffer_head * + ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh; + ext4_fsblk_t bitmap_blk; + +@@ -423,6 +429,12 @@ ext4_read_block_bitmap_nowait(struct sup + if (!desc) + return NULL; + bitmap_blk = ext4_block_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid block bitmap block %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EUCLEAN); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot get buffer for block bitmap - " +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -123,16 +123,22 @@ static struct buffer_head * + ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh = NULL; + ext4_fsblk_t bitmap_blk; + struct ext4_group_info *grp; +- struct ext4_sb_info *sbi = EXT4_SB(sb); + + desc = ext4_get_group_desc(sb, block_group, NULL); + if (!desc) + return NULL; + + bitmap_blk = ext4_inode_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid inode bitmap blk %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EUCLEAN); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot read inode bitmap - " diff --git a/queue-3.18/ext4-don-t-allow-r-w-mounts-if-metadata-blocks-overlap-the-superblock.patch b/queue-3.18/ext4-don-t-allow-r-w-mounts-if-metadata-blocks-overlap-the-superblock.patch new file mode 100644 index 00000000000..a359d8326a5 --- /dev/null +++ b/queue-3.18/ext4-don-t-allow-r-w-mounts-if-metadata-blocks-overlap-the-superblock.patch @@ -0,0 +1,57 @@ +From 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 29 Mar 2018 22:10:35 -0400 +Subject: ext4: don't allow r/w mounts if metadata blocks overlap the superblock + +From: Theodore Ts'o + +commit 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957 upstream. + +If some metadata block, such as an allocation bitmap, overlaps the +superblock, it's very likely that if the file system is mounted +read/write, the results will not be pretty. So disallow r/w mounts +for file systems corrupted in this particular way. + +Backport notes: +3.18.y is missing bc98a42c1f7d ("VFS: Convert sb->s_flags & MS_RDONLY to sb_rdonly(sb)") +and e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags") +so we simply use the sb MS_RDONLY check from pre bc98a42c1f7d in place of the sb_rdonly +function used in the upstream variant of the patch. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Harsh Shandilya +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2093,6 +2093,8 @@ static int ext4_check_descriptors(struct + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -2105,6 +2107,8 @@ static int ext4_check_descriptors(struct + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -2117,6 +2121,8 @@ static int ext4_check_descriptors(struct + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode table for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { diff --git a/queue-3.18/ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch b/queue-3.18/ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch new file mode 100644 index 00000000000..aa429da8c11 --- /dev/null +++ b/queue-3.18/ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch @@ -0,0 +1,46 @@ +From 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 29 Mar 2018 21:56:09 -0400 +Subject: ext4: fail ext4_iget for root directory if unallocated + +From: Theodore Ts'o + +commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream. + +If the root directory has an i_links_count of zero, then when the file +system is mounted, then when ext4_fill_super() notices the problem and +tries to call iput() the root directory in the error return path, +ext4_evict_inode() will try to free the inode on disk, before all of +the file system structures are set up, and this will result in an OOPS +caused by a NULL pointer dereference. + +This issue has been assigned CVE-2018-1092. + +https://bugzilla.kernel.org/show_bug.cgi?id=199179 +https://bugzilla.redhat.com/show_bug.cgi?id=1560777 + +Reported-by: Wen Xu +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +[harsh@prjkt.io: s/EFSCORRUPTED/EUCLEAN/ fs/ext4/inode.c] +Signed-off-by: Harsh Shandilya +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3975,6 +3975,12 @@ struct inode *ext4_iget(struct super_blo + goto bad_inode; + raw_inode = ext4_raw_inode(&iloc); + ++ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { ++ EXT4_ERROR_INODE(inode, "root inode unallocated"); ++ ret = -EUCLEAN; ++ goto bad_inode; ++ } ++ + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { + ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > diff --git a/queue-3.18/series b/queue-3.18/series index 3c2dd3f95e2..649b61484c6 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -34,3 +34,6 @@ alsa-pcm-avoid-potential-races-between-oss-ioctls-and-read-write.patch alsa-pcm-return-ebusy-for-oss-ioctls-changing-busy-streams.patch alsa-pcm-fix-mutex-unbalance-in-oss-emulation-ioctls.patch alsa-pcm-fix-endless-loop-for-xrun-recovery-in-oss-emulation.patch +ext4-add-validity-checks-for-bitmap-block-numbers.patch +ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch +ext4-don-t-allow-r-w-mounts-if-metadata-blocks-overlap-the-superblock.patch