From 9812f47a89cb97a1dc93ff8af268fd03a9d08afc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 15 May 2023 06:18:57 +0200 Subject: [PATCH] 4.14-stable patches added patches: ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch --- ...g-in-get_max_inline_xattr_value_size.patch | 59 +++++++++++ ...ut-of-bounds-in-ext4_group_desc_csum.patch | 99 +++++++++++++++++++ ...xattr_ibody_get-fails-for-any-reason.patch | 31 ++++++ ...tracking-in-ext4_xattr_move_to_block.patch | 62 ++++++++++++ ...ecovery-code-paths-in-__ext4_remount.patch | 62 ++++++++++++ ...a-bug_on-in-ext4_mb_release_group_pa.patch | 40 ++++++++ queue-4.14/series | 6 ++ 7 files changed, 359 insertions(+) create mode 100644 queue-4.14/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch create mode 100644 queue-4.14/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch create mode 100644 queue-4.14/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch create mode 100644 queue-4.14/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch create mode 100644 queue-4.14/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch create mode 100644 queue-4.14/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch diff --git a/queue-4.14/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch b/queue-4.14/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch new file mode 100644 index 00000000000..acf0fff6213 --- /dev/null +++ b/queue-4.14/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch @@ -0,0 +1,59 @@ +From 2220eaf90992c11d888fe771055d4de330385f01 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 May 2023 15:11:02 -0400 +Subject: ext4: add bounds checking in get_max_inline_xattr_value_size() + +From: Theodore Ts'o + +commit 2220eaf90992c11d888fe771055d4de330385f01 upstream. + +Normally the extended attributes in the inode body would have been +checked when the inode is first opened, but if someone is writing to +the block device while the file system is mounted, it's possible for +the inode table to get corrupted. Add bounds checking to avoid +reading beyond the end of allocated memory if this happens. + +Reported-by: syzbot+1966db24521e5f6e23f7@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=1966db24521e5f6e23f7 +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -38,6 +38,7 @@ static int get_max_inline_xattr_value_si + struct ext4_xattr_ibody_header *header; + struct ext4_xattr_entry *entry; + struct ext4_inode *raw_inode; ++ void *end; + int free, min_offs; + + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) +@@ -61,14 +62,23 @@ static int get_max_inline_xattr_value_si + raw_inode = ext4_raw_inode(iloc); + header = IHDR(inode, raw_inode); + entry = IFIRST(header); ++ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; + + /* Compute min_offs. */ +- for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) { ++ while (!IS_LAST_ENTRY(entry)) { ++ void *next = EXT4_XATTR_NEXT(entry); ++ ++ if (next >= end) { ++ EXT4_ERROR_INODE(inode, ++ "corrupt xattr in inline inode"); ++ return 0; ++ } + if (!entry->e_value_inum && entry->e_value_size) { + size_t offs = le16_to_cpu(entry->e_value_offs); + if (offs < min_offs) + min_offs = offs; + } ++ entry = next; + } + free = min_offs - + ((void *)entry - (void *)IFIRST(header)) - sizeof(__u32); diff --git a/queue-4.14/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch b/queue-4.14/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch new file mode 100644 index 00000000000..e64ee473428 --- /dev/null +++ b/queue-4.14/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch @@ -0,0 +1,99 @@ +From 4f04351888a83e595571de672e0a4a8b74f4fb31 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Thu, 4 May 2023 12:15:25 +0000 +Subject: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum + +From: Tudor Ambarus + +commit 4f04351888a83e595571de672e0a4a8b74f4fb31 upstream. + +When modifying the block device while it is mounted by the filesystem, +syzbot reported the following: + +BUG: KASAN: slab-out-of-bounds in crc16+0x206/0x280 lib/crc16.c:58 +Read of size 1 at addr ffff888075f5c0a8 by task syz-executor.2/15586 + +CPU: 1 PID: 15586 Comm: syz-executor.2 Not tainted 6.2.0-rc5-syzkaller-00205-gc96618275234 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + crc16+0x206/0x280 lib/crc16.c:58 + ext4_group_desc_csum+0x81b/0xb20 fs/ext4/super.c:3187 + ext4_group_desc_csum_set+0x195/0x230 fs/ext4/super.c:3210 + ext4_mb_clear_bb fs/ext4/mballoc.c:6027 [inline] + ext4_free_blocks+0x191a/0x2810 fs/ext4/mballoc.c:6173 + ext4_remove_blocks fs/ext4/extents.c:2527 [inline] + ext4_ext_rm_leaf fs/ext4/extents.c:2710 [inline] + ext4_ext_remove_space+0x24ef/0x46a0 fs/ext4/extents.c:2958 + ext4_ext_truncate+0x177/0x220 fs/ext4/extents.c:4416 + ext4_truncate+0xa6a/0xea0 fs/ext4/inode.c:4342 + ext4_setattr+0x10c8/0x1930 fs/ext4/inode.c:5622 + notify_change+0xe50/0x1100 fs/attr.c:482 + do_truncate+0x200/0x2f0 fs/open.c:65 + handle_truncate fs/namei.c:3216 [inline] + do_open fs/namei.c:3561 [inline] + path_openat+0x272b/0x2dd0 fs/namei.c:3714 + do_filp_open+0x264/0x4f0 fs/namei.c:3741 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f72f8a8c0c9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f72f97e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 00007f72f8bac050 RCX: 00007f72f8a8c0c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280 +RBP: 00007f72f8ae7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffd165348bf R14: 00007f72f97e3300 R15: 0000000000022000 + +Replace + le16_to_cpu(sbi->s_es->s_desc_size) +with + sbi->s_desc_size + +It reduces ext4's compiled text size, and makes the code more efficient +(we remove an extra indirect reference and a potential byte +swap on big endian systems), and there is no downside. It also avoids the +potential KASAN / syzkaller failure, as a bonus. + +Reported-by: syzbot+fc51227e7100c9294894@syzkaller.appspotmail.com +Reported-by: syzbot+8785e41224a3afd04321@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=70d28d11ab14bd7938f3e088365252aa923cff42 +Link: https://syzkaller.appspot.com/bug?id=b85721b38583ecc6b5e72ff524c67302abbc30f3 +Link: https://lore.kernel.org/all/000000000000ece18705f3b20934@google.com/ +Fixes: 717d50e4971b ("Ext4: Uninitialized Block Groups") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20230504121525.3275886-1-tudor.ambarus@linaro.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2343,11 +2343,9 @@ static __le16 ext4_group_desc_csum(struc + crc = crc16(crc, (__u8 *)gdp, offset); + offset += sizeof(gdp->bg_checksum); /* skip checksum */ + /* for checksum of struct ext4_group_desc do the rest...*/ +- if (ext4_has_feature_64bit(sb) && +- offset < le16_to_cpu(sbi->s_es->s_desc_size)) ++ if (ext4_has_feature_64bit(sb) && offset < sbi->s_desc_size) + crc = crc16(crc, (__u8 *)gdp + offset, +- le16_to_cpu(sbi->s_es->s_desc_size) - +- offset); ++ sbi->s_desc_size - offset); + + out: + return cpu_to_le16(crc); diff --git a/queue-4.14/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch b/queue-4.14/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch new file mode 100644 index 00000000000..e23029dd087 --- /dev/null +++ b/queue-4.14/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch @@ -0,0 +1,31 @@ +From 2a534e1d0d1591e951f9ece2fb460b2ff92edabd Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 May 2023 15:16:27 -0400 +Subject: ext4: bail out of ext4_xattr_ibody_get() fails for any reason + +From: Theodore Ts'o + +commit 2a534e1d0d1591e951f9ece2fb460b2ff92edabd upstream. + +In ext4_update_inline_data(), if ext4_xattr_ibody_get() fails for any +reason, it's best if we just fail as opposed to stumbling on, +especially if the failure is EFSCORRUPTED. + +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -364,7 +364,7 @@ static int ext4_update_inline_data(handl + + error = ext4_xattr_ibody_get(inode, i.name_index, i.name, + value, len); +- if (error == -ENODATA) ++ if (error < 0) + goto out; + + BUFFER_TRACE(is.iloc.bh, "get_write_access"); diff --git a/queue-4.14/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch b/queue-4.14/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch new file mode 100644 index 00000000000..d19b0f3e86a --- /dev/null +++ b/queue-4.14/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch @@ -0,0 +1,62 @@ +From b87c7cdf2bed4928b899e1ce91ef0d147017ba45 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 30 Apr 2023 03:04:13 -0400 +Subject: ext4: fix invalid free tracking in ext4_xattr_move_to_block() + +From: Theodore Ts'o + +commit b87c7cdf2bed4928b899e1ce91ef0d147017ba45 upstream. + +In ext4_xattr_move_to_block(), the value of the extended attribute +which we need to move to an external block may be allocated by +kvmalloc() if the value is stored in an external inode. So at the end +of the function the code tried to check if this was the case by +testing entry->e_value_inum. + +However, at this point, the pointer to the xattr entry is no longer +valid, because it was removed from the original location where it had +been stored. So we could end up calling kvfree() on a pointer which +was not allocated by kvmalloc(); or we could also potentially leak +memory by not freeing the buffer when it should be freed. Fix this by +storing whether it should be freed in a separate variable. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430160426.581366-1-tytso@mit.edu +Link: https://syzkaller.appspot.com/bug?id=5c2aee8256e30b55ccf57312c16d88417adbd5e1 +Link: https://syzkaller.appspot.com/bug?id=41a6b5d4917c0412eb3b3c3c604965bed7d7420b +Reported-by: syzbot+64b645917ce07d89bde5@syzkaller.appspotmail.com +Reported-by: syzbot+0d042627c4f2ad332195@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2559,6 +2559,7 @@ static int ext4_xattr_move_to_block(hand + .in_inode = !!entry->e_value_inum, + }; + struct ext4_xattr_ibody_header *header = IHDR(inode, raw_inode); ++ int needs_kvfree = 0; + int error; + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); +@@ -2581,7 +2582,7 @@ static int ext4_xattr_move_to_block(hand + error = -ENOMEM; + goto out; + } +- ++ needs_kvfree = 1; + error = ext4_xattr_inode_get(inode, entry, buffer, value_size); + if (error) + goto out; +@@ -2620,7 +2621,7 @@ static int ext4_xattr_move_to_block(hand + + out: + kfree(b_entry_name); +- if (entry->e_value_inum && buffer) ++ if (needs_kvfree && buffer) + kvfree(buffer); + if (is) + brelse(is->iloc.bh); diff --git a/queue-4.14/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch b/queue-4.14/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch new file mode 100644 index 00000000000..ae6ec89fabb --- /dev/null +++ b/queue-4.14/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch @@ -0,0 +1,62 @@ +From 4c0b4818b1f636bc96359f7817a2d8bab6370162 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 5 May 2023 22:20:29 -0400 +Subject: ext4: improve error recovery code paths in __ext4_remount() + +From: Theodore Ts'o + +commit 4c0b4818b1f636bc96359f7817a2d8bab6370162 upstream. + +If there are failures while changing the mount options in +__ext4_remount(), we need to restore the old mount options. + +This commit fixes two problem. The first is there is a chance that we +will free the old quota file names before a potential failure leading +to a use-after-free. The second problem addressed in this commit is +if there is a failed read/write to read-only transition, if the quota +has already been suspended, we need to renable quota handling. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-2-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5390,9 +5390,6 @@ static int ext4_remount(struct super_blo + ext4_commit_super(sb, 1); + + #ifdef CONFIG_QUOTA +- /* Release old quota file names */ +- for (i = 0; i < EXT4_MAXQUOTAS; i++) +- kfree(old_opts.s_qf_names[i]); + if (enable_quota) { + if (sb_any_quota_suspended(sb)) + dquot_resume(sb, -1); +@@ -5402,6 +5399,9 @@ static int ext4_remount(struct super_blo + goto restore_opts; + } + } ++ /* Release old quota file names */ ++ for (i = 0; i < EXT4_MAXQUOTAS; i++) ++ kfree(old_opts.s_qf_names[i]); + #endif + + *flags = (*flags & ~MS_LAZYTIME) | (sb->s_flags & MS_LAZYTIME); +@@ -5410,6 +5410,13 @@ static int ext4_remount(struct super_blo + return 0; + + restore_opts: ++ /* ++ * If there was a failing r/w to ro transition, we may need to ++ * re-enable quota ++ */ ++ if ((sb->s_flags & SB_RDONLY) && !(old_sb_flags & SB_RDONLY) && ++ sb_any_quota_suspended(sb)) ++ dquot_resume(sb, -1); + sb->s_flags = old_sb_flags; + sbi->s_mount_opt = old_opts.s_mount_opt; + sbi->s_mount_opt2 = old_opts.s_mount_opt2; diff --git a/queue-4.14/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch b/queue-4.14/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch new file mode 100644 index 00000000000..3b1364df71f --- /dev/null +++ b/queue-4.14/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch @@ -0,0 +1,40 @@ +From 463808f237cf73e98a1a45ff7460c2406a150a0b Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 29 Apr 2023 16:14:46 -0400 +Subject: ext4: remove a BUG_ON in ext4_mb_release_group_pa() + +From: Theodore Ts'o + +commit 463808f237cf73e98a1a45ff7460c2406a150a0b upstream. + +If a malicious fuzzer overwrites the ext4 superblock while it is +mounted such that the s_first_data_block is set to a very large +number, the calculation of the block group can underflow, and trigger +a BUG_ON check. Change this to be an ext4_warning so that we don't +crash the kernel. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430154311.579720-3-tytso@mit.edu +Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3921,7 +3921,11 @@ ext4_mb_release_group_pa(struct ext4_bud + trace_ext4_mb_release_group_pa(sb, pa); + BUG_ON(pa->pa_deleted == 0); + ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit); +- BUG_ON(group != e4b->bd_group && pa->pa_len != 0); ++ if (unlikely(group != e4b->bd_group && pa->pa_len != 0)) { ++ ext4_warning(sb, "bad group: expected %u, group %u, pa_start %llu", ++ e4b->bd_group, group, pa->pa_pstart); ++ return 0; ++ } + mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len); + atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded); + trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); diff --git a/queue-4.14/series b/queue-4.14/series index 009d5d26887..596dcda0261 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -102,3 +102,9 @@ sh-nmi_debug-fix-return-value-of-__setup-handler.patch arm-dts-exynos-fix-wm8960-clock-name-in-itop-elite.patch arm-dts-s5pv210-correct-mipi-csis-clock-name.patch hid-wacom-set-a-default-resolution-for-older-tablets.patch +ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch +ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch +ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch +ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch +ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch +ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch -- 2.47.3