From patchwork Wed Jul 25 18:09:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 949334 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41bNY91KGCz9s21; Thu, 26 Jul 2018 04:09:49 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1fiOEI-0007tP-2N; Wed, 25 Jul 2018 18:09:42 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1fiOEF-0007si-WE for kernel-team@lists.ubuntu.com; Wed, 25 Jul 2018 18:09:39 +0000 Received: from mail-ed1-f71.google.com ([209.85.208.71]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fiOEF-0003jH-Oj for kernel-team@lists.ubuntu.com; Wed, 25 Jul 2018 18:09:39 +0000 Received: by mail-ed1-f71.google.com with SMTP id d18-v6so3429551edp.0 for ; Wed, 25 Jul 2018 11:09:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=9ONSmfVQaxzSnwxbzVPc58kZVqzMZsqkADj1/efGMZo=; b=p7yo6UzgFeBZqBOOkAG+oczvZFwTsEWpPnNURwAXUUQB9gaT6McnZtPXJpDGKr4mmu LD+SJaVh8Z6/CeziRzq9llFwpJ7IBeuTYLlFZKKw0TgF4OtQe3DxVC49xP4RvZylf2Du I2pXJ9bwaT6GCUwJ7ZwZNB421lTEwAREHCd4qo1pj1daFiH4KPzZiwoaHvDEN03flkKI aPht5+FhNy1S55IMVVif3w/C+v4Aaz29LktC8egbXTArbCupc2zzcNQG/piGRkIO5YPP 6htSI3utQsgVs1sGSmvJQbxEJ5vvEtv3/Vpu4ZcLvAf2B4OHae8hTjpofLYwaUsLcceq vj8w== X-Gm-Message-State: AOUpUlH7yszoNaonj6SDv+HesiB3lAZe8hg63cLL7SMVtVIXyDJlADrC TMD57Qt3e04+T4+QFN6c8mFwoi4MrTozu8u9u83TF9LvArRH5Li+JwkEaoinI6vTlaJNSjAFjDl 4RHj9cwH1peCrcPYxqTInlYorHskofgITcJClhVe0yg== X-Received: by 2002:a50:b178:: with SMTP id l53-v6mr23481281edd.306.1532542179223; Wed, 25 Jul 2018 11:09:39 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfeNfwj+WWVU4I7pgsp8R7oCP4iUAZUDQTiT2mzBrA1U36KIK9dYAfY/ZUnY4UWDPuo2PCYGg== X-Received: by 2002:a50:b178:: with SMTP id l53-v6mr23481272edd.306.1532542179042; Wed, 25 Jul 2018 11:09:39 -0700 (PDT) Received: from localhost ([2a02:8109:98c0:1604:b106:8d3e:8009:f269]) by smtp.gmail.com with ESMTPSA id z4-v6sm6766404edi.90.2018.07.25.11.09.37 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 25 Jul 2018 11:09:38 -0700 (PDT) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][PATCH 1/2] ext4: validate s_first_meta_bg at mount time Date: Wed, 25 Jul 2018 20:09:34 +0200 Message-Id: <20180725180935.2503-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180725180935.2503-1-kleber.souza@canonical.com> References: <20180725180935.2503-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eryu Guan commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream. Ralf Spenneberg reported that he hit a kernel crash when mounting a modified ext4 image. And it turns out that kernel crashed when calculating fs overhead (ext4_calculate_overhead()), this is because the image has very large s_first_meta_bg (debug code shows it's 842150400), and ext4 overruns the memory in count_overhead() when setting bitmap buffer, which is PAGE_SIZE. ext4_calculate_overhead(): buf = get_zeroed_page(GFP_NOFS); <=== PAGE_SIZE buffer blks = count_overhead(sb, i, buf); count_overhead(): for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400 ext4_set_bit(EXT4_B2C(sbi, s++), buf); <=== buffer overrun count++; } This can be reproduced easily for me by this script: #!/bin/bash rm -f fs.img mkdir -p /mnt/ext4 fallocate -l 16M fs.img mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img debugfs -w -R "ssv first_meta_bg 842150400" fs.img mount -o loop fs.img /mnt/ext4 Fix it by validating s_first_meta_bg first at mount time, and refusing to mount if its value exceeds the largest possible meta_bg number. [js] use EXT4_HAS_INCOMPAT_FEATURE instead of new ext4_has_feature_meta_bg Reported-by: Ralf Spenneberg Signed-off-by: Eryu Guan Signed-off-by: Theodore Ts'o Reviewed-by: Andreas Dilger Signed-off-by: Jiri Slaby Signed-off-by: Willy Tarreau CVE-2016-10208 (cherry picked from commit 188b2ebb367591a1841825294f21f30186743186 linux-stable) Signed-off-by: Kleber Sacilotto de Souza --- fs/ext4/super.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 3b313429b83f..ffca676b968d 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3831,6 +3831,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb))); db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) / EXT4_DESC_PER_BLOCK(sb); + if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_META_BG)) { + if (le32_to_cpu(es->s_first_meta_bg) >= db_count) { + ext4_msg(sb, KERN_WARNING, + "first meta block group too large: %u " + "(group descriptor block count %u)", + le32_to_cpu(es->s_first_meta_bg), db_count); + goto failed_mount; + } + } sbi->s_group_desc = ext4_kvmalloc(db_count * sizeof(struct buffer_head *), GFP_KERNEL);