ACK: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent()
Stefan Bader
stefan.bader at canonical.com
Wed Jul 25 15:19:36 UTC 2018
On 24.07.2018 17:00, Paolo Pisati wrote:
> From: Theodore Ts'o <tytso at mit.edu>
>
> CVE-2018-10877
>
> If there is a corupted file system where the claimed depth of the
> extent tree is -1, this can cause a massive buffer overrun leading to
> sadness.
>
> This addresses CVE-2018-10877.
>
> https://bugzilla.kernel.org/show_bug.cgi?id=199417
>
> Signed-off-by: Theodore Ts'o <tytso at mit.edu>
> Cc: stable at kernel.org
> (backported from commit bc890a60247171294acc0bd67d211fa4b88d40ba)
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> fs/ext4/ext4_extents.h | 1 +
> fs/ext4/extents.c | 6 ++++++
> 2 files changed, 7 insertions(+)
>
> diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
> index 5074fe2..9c72cc3 100644
> --- a/fs/ext4/ext4_extents.h
> +++ b/fs/ext4/ext4_extents.h
> @@ -103,6 +103,7 @@ struct ext4_extent_header {
> };
>
> #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a)
> +#define EXT4_MAX_EXTENT_DEPTH 5
>
> #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
> (sizeof(struct ext4_extent_header) + \
> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
> index 871070d..4b5c5c7 100644
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -847,6 +847,12 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block,
>
> eh = ext_inode_hdr(inode);
> depth = ext_depth(inode);
> + if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
> + EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
> + depth);
> + ret = -EIO;
> + goto err;
> + }
>
> /* account possible depth increase */
> if (!path) {
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180725/8a2620bb/attachment.sig>
More information about the kernel-team
mailing list