releases/4.4.17/ext4-verify-extent-header-depth.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 7bc9491645118c9461bd21099c31755ff6783593 Mon Sep 17 00:00:00 2001
 From: Vegard Nossum <vegard.nossum@oracle.com>
 Date: Fri, 15 Jul 2016 00:22:07 -0400
 Subject: ext4: verify extent header depth

 From: Vegard Nossum <vegard.nossum@oracle.com>

 commit 7bc9491645118c9461bd21099c31755ff6783593 upstream.

 Although the extent tree depth of 5 should enough be for the worst
 case of 2*32 extents of length 1, the extent tree code does not
 currently to merge nodes which are less than half-full with a sibling
 node, or to shrink the tree depth if possible.  So it's possible, at
 least in theory, for the tree depth to be greater than 5.  However,
 even in the worst case, a tree depth of 32 is highly unlikely, and if
 the file system is maliciously corrupted, an insanely large eh_depth
 can cause memory allocation failures that will trigger kernel warnings
 (here, eh_depth = 65280):

     JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256
     ------------[ cut here ]------------
     WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580
     CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508
     Stack:
      604a8947 625badd8 0002fd09 00000000
      60078643 00000000 62623910 601bf9bc
      62623970 6002fc84 626239b0 900000125
     Call Trace:
      [<6001c2dc>] show_stack+0xdc/0x1a0
      [<601bf9bc>] dump_stack+0x2a/0x2e
      [<6002fc84>] __warn+0x114/0x140
      [<6002fdff>] warn_slowpath_null+0x1f/0x30
      [<60165829>] start_this_handle+0x569/0x580
      [<60165d4e>] jbd2__journal_start+0x11e/0x220
      [<60146690>] __ext4_journal_start_sb+0x60/0xa0
      [<60120a81>] ext4_truncate+0x131/0x3a0
      [<60123677>] ext4_setattr+0x757/0x840
      [<600d5d0f>] notify_change+0x16f/0x2a0
      [<600b2b16>] do_truncate+0x76/0xc0
      [<600c3e56>] path_openat+0x806/0x1300
      [<600c55c9>] do_filp_open+0x89/0xf0
      [<600b4074>] do_sys_open+0x134/0x1e0
      [<600b4140>] SyS_open+0x20/0x30
      [<6001ea68>] handle_syscall+0x88/0x90
      [<600295fd>] userspace+0x3fd/0x500
      [<6001ac55>] fork_handler+0x85/0x90

     ---[ end trace 08b0b88b6387a244 ]---

 [ Commit message modified and the extent tree depath check changed
 from 5 to 32 -- tytso ]

 Cc: Darrick J. Wong <darrick.wong@oracle.com>
 Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/ext4/extents.c |    4 ++++
  1 file changed, 4 insertions(+)

 --- a/fs/ext4/extents.c
 +++ b/fs/ext4/extents.c
 @@ -469,6 +469,10 @@ static int __ext4_ext_check(const char *
  		error_msg = "invalid extent entries";
  		goto corrupted;
  	}
 +	if (unlikely(depth > 32)) {
 +		error_msg = "too large eh_depth";
 +		goto corrupted;
 +	}
  	/* Verify checksum on non-root extent tree nodes */
  	if (ext_depth(inode) != depth &&
  	    !ext4_extent_block_csum_verify(inode, eh)) {
	From 7bc9491645118c9461bd21099c31755ff6783593 Mon Sep 17 00:00:00 2001
	From: Vegard Nossum <vegard.nossum@oracle.com>
	Date: Fri, 15 Jul 2016 00:22:07 -0400
	Subject: ext4: verify extent header depth

	From: Vegard Nossum <vegard.nossum@oracle.com>

	commit 7bc9491645118c9461bd21099c31755ff6783593 upstream.

	Although the extent tree depth of 5 should enough be for the worst
	case of 2*32 extents of length 1, the extent tree code does not
	currently to merge nodes which are less than half-full with a sibling
	node, or to shrink the tree depth if possible. So it's possible, at
	least in theory, for the tree depth to be greater than 5. However,
	even in the worst case, a tree depth of 32 is highly unlikely, and if
	the file system is maliciously corrupted, an insanely large eh_depth
	can cause memory allocation failures that will trigger kernel warnings
	(here, eh_depth = 65280):

	JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256
	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580
	CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508
	Stack:
	604a8947 625badd8 0002fd09 00000000
	60078643 00000000 62623910 601bf9bc
	62623970 6002fc84 626239b0 900000125
	Call Trace:
	[<6001c2dc>] show_stack+0xdc/0x1a0
	[<601bf9bc>] dump_stack+0x2a/0x2e
	[<6002fc84>] __warn+0x114/0x140
	[<6002fdff>] warn_slowpath_null+0x1f/0x30
	[<60165829>] start_this_handle+0x569/0x580
	[<60165d4e>] jbd2__journal_start+0x11e/0x220
	[<60146690>] __ext4_journal_start_sb+0x60/0xa0
	[<60120a81>] ext4_truncate+0x131/0x3a0
	[<60123677>] ext4_setattr+0x757/0x840
	[<600d5d0f>] notify_change+0x16f/0x2a0
	[<600b2b16>] do_truncate+0x76/0xc0
	[<600c3e56>] path_openat+0x806/0x1300
	[<600c55c9>] do_filp_open+0x89/0xf0
	[<600b4074>] do_sys_open+0x134/0x1e0
	[<600b4140>] SyS_open+0x20/0x30
	[<6001ea68>] handle_syscall+0x88/0x90
	[<600295fd>] userspace+0x3fd/0x500
	[<6001ac55>] fork_handler+0x85/0x90

	---[ end trace 08b0b88b6387a244 ]---

	[ Commit message modified and the extent tree depath check changed
	from 5 to 32 -- tytso ]

	Cc: Darrick J. Wong <darrick.wong@oracle.com>
	Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/ext4/extents.c \| 4 ++++
	1 file changed, 4 insertions(+)

	--- a/fs/ext4/extents.c
	+++ b/fs/ext4/extents.c
	@@ -469,6 +469,10 @@ static int __ext4_ext_check(const char *
	error_msg = "invalid extent entries";
	goto corrupted;
	}
	+ if (unlikely(depth > 32)) {
	+ error_msg = "too large eh_depth";
	+ goto corrupted;
	+ }
	/* Verify checksum on non-root extent tree nodes */
	if (ext_depth(inode) != depth &&
	!ext4_extent_block_csum_verify(inode, eh)) {