lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 29 Mar 2018 15:54:19 -0600
From:   Andreas Dilger <adilger@...ger.ca>
To:     Theodore Ts'o <tytso@....edu>
Cc:     Ext4 Developers List <linux-ext4@...r.kernel.org>,
        ebiggers3@...il.com, wen.xu@...ech.edu, ebiggers@...gle.com,
        stable@...r.kernel.org
Subject: Re: [PATCH] ext4: limit xattr size to INT_MAX

On Mar 29, 2018, at 3:46 PM, Theodore Ts'o <tytso@....edu> wrote:
> 
> From: Eric Biggers <ebiggers@...gle.com>
> 
> ext4 isn't validating the sizes of xattrs.  This is problematic
> because ->e_value_size is a u32, but ext4_xattr_get() returns an int.
> A very large size is misinterpreted as an error code, which
> ext4_get_acl() translates into a bogus ERR_PTR() for which IS_ERR()
> returns false, causing a crash.
> 
> Fix this by validating that all xattrs are <= INT_MAX bytes.  Also add
> explicit checks in ext4_xattr_block_get() and ext4_xattr_ibody_get()
> just in case the xattr block is corrupted in memory.
> 
> This issue has been assigned CVE-2018-1095.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=199185
> https://bugzilla.redhat.com/show_bug.cgi?id=1560793
> 
> Reported-by: Wen Xu <wen.xu@...ech.edu>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
> Signed-off-by: Theodore Ts'o <tytso@....edu>

Reviewed-by: Andreas Dilger <adilger@...ger.ca>

> Cc: stable@...r.kernel.org
> ---
> fs/ext4/xattr.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
> index 63656dbafdc4..fea1108c3bea 100644
> --- a/fs/ext4/xattr.c
> +++ b/fs/ext4/xattr.c
> @@ -201,6 +201,9 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
> 			u32 size = le32_to_cpu(entry->e_value_size);
> 			void *value;
> 
> +			if (size > INT_MAX)
> +				return -EFSCORRUPTED;
> +
> 			/*
> 			 * The value cannot overlap the names, and the value
> 			 * with padding cannot extend beyond 'end'.  Check both
> @@ -523,8 +526,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name,
> 	if (error)
> 		goto cleanup;
> 	size = le32_to_cpu(entry->e_value_size);
> +	error = -ERANGE;
> +	if (unlikely(size > INT_MAX))
> +		goto cleanup;
> 	if (buffer) {
> -		error = -ERANGE;
> 		if (size > buffer_size)
> 			goto cleanup;
> 		if (entry->e_value_inum) {
> @@ -572,8 +577,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
> 	if (error)
> 		goto cleanup;
> 	size = le32_to_cpu(entry->e_value_size);
> +	error = -ERANGE;
> +	if (unlikely(size > INT_MAX))
> +		goto cleanup;
> 	if (buffer) {
> -		error = -ERANGE;
> 		if (size > buffer_size)
> 			goto cleanup;
> 		if (entry->e_value_inum) {
> --
> 2.16.1.72.g5be1f00a9a
> 


Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists