lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <30c688b5783a5779811ce68893b7001390b9e200.camel@decadent.org.uk>
Date:   Sun, 22 Apr 2018 22:54:23 +0100
From:   Ben Hutchings <ben@...adent.org.uk>
To:     Theodore Tso <tytso@....edu>
Cc:     stable@...r.kernel.org, Wen Xu <wen.xu@...ech.edu>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4.9 37/95] ext4: add validity checks for bitmap block
 numbers

On Sun, 2018-04-22 at 15:53 +0200, Greg Kroah-Hartman wrote:
> 4.9-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Theodore Ts'o <tytso@....edu>
> 
> commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream.
> 
> An privileged attacker can cause a crash by mounting a crafted ext4
> image which triggers a out-of-bounds read in the function
> ext4_valid_block_bitmap() in fs/ext4/balloc.c.
> 
> This issue has been assigned CVE-2018-1093.
> 
> BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
> BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782
> Reported-by: Wen Xu <wen.xu@...ech.edu>
> Signed-off-by: Theodore Ts'o <tytso@....edu>
> Cc: stable@...r.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> 
> ---
>  fs/ext4/balloc.c |   16 ++++++++++++++--
>  fs/ext4/ialloc.c |    7 +++++++
>  2 files changed, 21 insertions(+), 2 deletions(-)
> 
> --- a/fs/ext4/balloc.c
> +++ b/fs/ext4/balloc.c
> @@ -337,20 +337,25 @@ static ext4_fsblk_t ext4_valid_block_bit
>  	/* check whether block bitmap block number is set */
>  	blk = ext4_block_bitmap(sb, desc);
>  	offset = blk - group_first_block;
> -	if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
> +	if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
> +	    !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))

Isn't sb->s_blocksize a count of bytes?  If so, doesn't that mean that
we should be comparing with sb->s_blocksize * 8?

Ben.

>  		/* bad block bitmap */
>  		return blk;
>  
>  	/* check whether the inode bitmap block number is set */
>  	blk = ext4_inode_bitmap(sb, desc);
>  	offset = blk - group_first_block;
> -	if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
> +	if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
> +	    !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
>  		/* bad block bitmap */
>  		return blk;
>  
>  	/* check whether the inode table block number is set */
>  	blk = ext4_inode_table(sb, desc);
>  	offset = blk - group_first_block;
> +	if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
> +	    EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
> +		return blk;
>  	next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
>  			EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
>  			EXT4_B2C(sbi, offset));
> @@ -416,6 +421,7 @@ struct buffer_head *
>  ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
>  {
>  	struct ext4_group_desc *desc;
> +	struct ext4_sb_info *sbi = EXT4_SB(sb);
>  	struct buffer_head *bh;
>  	ext4_fsblk_t bitmap_blk;
>  	int err;
> @@ -424,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct sup
>  	if (!desc)
>  		return ERR_PTR(-EFSCORRUPTED);
>  	bitmap_blk = ext4_block_bitmap(sb, desc);
> +	if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
> +	    (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
> +		ext4_error(sb, "Invalid block bitmap block %llu in "
> +			   "block_group %u", bitmap_blk, block_group);
> +		return ERR_PTR(-EFSCORRUPTED);
> +	}
>  	bh = sb_getblk(sb, bitmap_blk);
>  	if (unlikely(!bh)) {
>  		ext4_error(sb, "Cannot get buffer for block bitmap - "
> --- a/fs/ext4/ialloc.c
> +++ b/fs/ext4/ialloc.c
> @@ -119,6 +119,7 @@ static struct buffer_head *
>  ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
>  {
>  	struct ext4_group_desc *desc;
> +	struct ext4_sb_info *sbi = EXT4_SB(sb);
>  	struct buffer_head *bh = NULL;
>  	ext4_fsblk_t bitmap_blk;
>  	int err;
> @@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_bloc
>  		return ERR_PTR(-EFSCORRUPTED);
>  
>  	bitmap_blk = ext4_inode_bitmap(sb, desc);
> +	if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
> +	    (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
> +		ext4_error(sb, "Invalid inode bitmap blk %llu in "
> +			   "block_group %u", bitmap_blk, block_group);
> +		return ERR_PTR(-EFSCORRUPTED);
> +	}
>  	bh = sb_getblk(sb, bitmap_blk);
>  	if (unlikely(!bh)) {
>  		ext4_error(sb, "Cannot read inode bitmap - "
> 
> 
-- 
Ben Hutchings
It is easier to write an incorrect program
than to understand a correct one.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ