| From c37e9e013469521d9adb932d17a1795c139b36db Mon Sep 17 00:00:00 2001 |
| From: Theodore Ts'o <tytso@mit.edu> |
| Date: Sun, 17 Jun 2018 00:41:14 -0400 |
| Subject: ext4: add more inode number paranoia checks |
| |
| From: Theodore Ts'o <tytso@mit.edu> |
| |
| commit c37e9e013469521d9adb932d17a1795c139b36db upstream. |
| |
| If there is a directory entry pointing to a system inode (such as a |
| journal inode), complain and declare the file system to be corrupted. |
| |
| Also, if the superblock's first inode number field is too small, |
| refuse to mount the file system. |
| |
| This addresses CVE-2018-10882. |
| |
| https://bugzilla.kernel.org/show_bug.cgi?id=200069 |
| |
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| Cc: stable@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ext4/ext4.h | 5 ----- |
| fs/ext4/inode.c | 3 ++- |
| fs/ext4/super.c | 5 +++++ |
| 3 files changed, 7 insertions(+), 6 deletions(-) |
| |
| --- a/fs/ext4/ext4.h |
| +++ b/fs/ext4/ext4.h |
| @@ -1468,11 +1468,6 @@ static inline struct timespec ext4_curre |
| static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) |
| { |
| return ino == EXT4_ROOT_INO || |
| - ino == EXT4_USR_QUOTA_INO || |
| - ino == EXT4_GRP_QUOTA_INO || |
| - ino == EXT4_BOOT_LOADER_INO || |
| - ino == EXT4_JOURNAL_INO || |
| - ino == EXT4_RESIZE_INO || |
| (ino >= EXT4_FIRST_INO(sb) && |
| ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); |
| } |
| --- a/fs/ext4/inode.c |
| +++ b/fs/ext4/inode.c |
| @@ -3991,7 +3991,8 @@ static int __ext4_get_inode_loc(struct i |
| int inodes_per_block, inode_offset; |
| |
| iloc->bh = NULL; |
| - if (!ext4_valid_inum(sb, inode->i_ino)) |
| + if (inode->i_ino < EXT4_ROOT_INO || |
| + inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) |
| return -EFSCORRUPTED; |
| |
| iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); |
| --- a/fs/ext4/super.c |
| +++ b/fs/ext4/super.c |
| @@ -3549,6 +3549,11 @@ static int ext4_fill_super(struct super_ |
| } else { |
| sbi->s_inode_size = le16_to_cpu(es->s_inode_size); |
| sbi->s_first_ino = le32_to_cpu(es->s_first_ino); |
| + if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { |
| + ext4_msg(sb, KERN_ERR, "invalid first ino: %u", |
| + sbi->s_first_ino); |
| + goto failed_mount; |
| + } |
| if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || |
| (!is_power_of_2(sbi->s_inode_size)) || |
| (sbi->s_inode_size > blocksize)) { |