ACK: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent()

Wed Jul 25 15:19:36 UTC 2018

On 24.07.2018 17:00, Paolo Pisati wrote:
> From: Theodore Ts'o <tytso at mit.edu>
> 
> CVE-2018-10877
> 
> If there is a corupted file system where the claimed depth of the
> extent tree is -1, this can cause a massive buffer overrun leading to
> sadness.
> 
> This addresses CVE-2018-10877.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=199417
> 
> Signed-off-by: Theodore Ts'o <tytso at mit.edu>
> Cc: stable at kernel.org
> (backported from commit bc890a60247171294acc0bd67d211fa4b88d40ba)
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  fs/ext4/ext4_extents.h | 1 +
>  fs/ext4/extents.c      | 6 ++++++
>  2 files changed, 7 insertions(+)
> 
> diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
> index 5074fe2..9c72cc3 100644
> --- a/fs/ext4/ext4_extents.h
> +++ b/fs/ext4/ext4_extents.h
> @@ -103,6 +103,7 @@ struct ext4_extent_header {
>  };
>  
>  #define EXT4_EXT_MAGIC		cpu_to_le16(0xf30a)
> +#define EXT4_MAX_EXTENT_DEPTH 5
>  
>  #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
>  	(sizeof(struct ext4_extent_header) + \
> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
> index 871070d..4b5c5c7 100644
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -847,6 +847,12 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block,
>  
>  	eh = ext_inode_hdr(inode);
>  	depth = ext_depth(inode);
> +	if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
> +		EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
> +				 depth);
> +		ret = -EIO;
> +		goto err;
> +	}
>  
>  	/* account possible depth increase */
>  	if (!path) {
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180725/8a2620bb/attachment.sig>