cve/published/2022/CVE-2022-49409.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49409: ext4: fix bug_on in __es_tree_search

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ext4: fix bug_on in __es_tree_search

 Hulk Robot reported a BUG_ON:
 ==================================================================
 kernel BUG at fs/ext4/extents_status.c:199!
 [...]
 RIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]
 RIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217
 [...]
 Call Trace:
  ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766
  ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561
  ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964
  ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384
  ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567
  ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980
  ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031
  ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257
  v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63
  v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82
  vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368
  dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490
  ext4_quota_enable fs/ext4/super.c:6137 [inline]
  ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163
  ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754
  mount_bdev+0x2e9/0x3b0 fs/super.c:1158
  mount_fs+0x4b/0x1e4 fs/super.c:1261
 [...]
 ==================================================================

 Above issue may happen as follows:
 -------------------------------------
 ext4_fill_super
  ext4_enable_quotas
   ext4_quota_enable
    ext4_iget
     __ext4_iget
      ext4_ext_check_inode
       ext4_ext_check
        __ext4_ext_check
         ext4_valid_extent_entries
          Check for overlapping extents does't take effect
    dquot_enable
     vfs_load_quota_inode
      v2_check_quota_file
       v2_read_header
        ext4_quota_read
         ext4_bread
          ext4_getblk
           ext4_map_blocks
            ext4_ext_map_blocks
             ext4_find_extent
              ext4_cache_extents
               ext4_es_cache_extent
                ext4_es_cache_extent
                 __es_tree_search
                  ext4_es_end
                   BUG_ON(es->es_lblk + es->es_len < es->es_lblk)

 The error ext4 extents is as follows:
 0af3 0300 0400 0000 00000000    extent_header
 00000000 0100 0000 12000000     extent1
 00000000 0100 0000 18000000     extent2
 02000000 0400 0000 14000000     extent3

 In the ext4_valid_extent_entries function,
 if prev is 0, no error is returned even if lblock<=prev.
 This was intended to skip the check on the first extent, but
 in the error image above, prev=0+1-1=0 when checking the second extent,
 so even though lblock<=prev, the function does not return an error.
 As a result, bug_ON occurs in __es_tree_search and the system panics.

 To solve this problem, we only need to check that:
 1. The lblock of the first extent is not less than 0.
 2. The lblock of the next extent  is not less than
    the next block of the previous extent.
 The same applies to extent_idx.

 The Linux kernel CVE team has assigned CVE-2022-49409 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.4.277 with commit d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f
 	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.10.121 with commit 4fd58b5cf118d2d9038a0b8c9cc0e43096297686
 	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.15.46 with commit 3c617827cd51018bc377bd2954e176920ddbcfad
 	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.17.14 with commit 59cf2fabbfe76de29d88dd7ae69858a25735b59f
 	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.18.3 with commit ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a
 	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.19 with commit d36f6ed761b53933b0b4126486c10d3da7751e7f
 	Issue introduced in 3.2.55 with commit 4645e4ee32aee01a85bdc03348982a65c65ce216
 	Issue introduced in 3.4.76 with commit a1192c0e5d037def6763f3873d3340615c241fe7
 	Issue introduced in 3.10.26 with commit ae21dda05193c441bde106a4bbf88c185a68fbed
 	Issue introduced in 3.12.7 with commit ea214c946ee77588c4313be3e9951edd25d6b270

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49409
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ext4/extents.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f
 	https://git.kernel.org/stable/c/4fd58b5cf118d2d9038a0b8c9cc0e43096297686
 	https://git.kernel.org/stable/c/3c617827cd51018bc377bd2954e176920ddbcfad
 	https://git.kernel.org/stable/c/59cf2fabbfe76de29d88dd7ae69858a25735b59f
 	https://git.kernel.org/stable/c/ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a
 	https://git.kernel.org/stable/c/d36f6ed761b53933b0b4126486c10d3da7751e7f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49409: ext4: fix bug_on in __es_tree_search

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ext4: fix bug_on in __es_tree_search

	Hulk Robot reported a BUG_ON:
	==================================================================
	kernel BUG at fs/ext4/extents_status.c:199!
	[...]
	RIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]
	RIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217
	[...]
	Call Trace:
	ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766
	ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561
	ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964
	ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384
	ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567
	ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980
	ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031
	ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257
	v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63
	v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82
	vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368
	dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490
	ext4_quota_enable fs/ext4/super.c:6137 [inline]
	ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163
	ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754
	mount_bdev+0x2e9/0x3b0 fs/super.c:1158
	mount_fs+0x4b/0x1e4 fs/super.c:1261
	[...]
	==================================================================

	Above issue may happen as follows:
	-------------------------------------
	ext4_fill_super
	ext4_enable_quotas
	ext4_quota_enable
	ext4_iget
	__ext4_iget
	ext4_ext_check_inode
	ext4_ext_check
	__ext4_ext_check
	ext4_valid_extent_entries
	Check for overlapping extents does't take effect
	dquot_enable
	vfs_load_quota_inode
	v2_check_quota_file
	v2_read_header
	ext4_quota_read
	ext4_bread
	ext4_getblk
	ext4_map_blocks
	ext4_ext_map_blocks
	ext4_find_extent
	ext4_cache_extents
	ext4_es_cache_extent
	ext4_es_cache_extent
	__es_tree_search
	ext4_es_end
	BUG_ON(es->es_lblk + es->es_len < es->es_lblk)

	The error ext4 extents is as follows:
	0af3 0300 0400 0000 00000000 extent_header
	00000000 0100 0000 12000000 extent1
	00000000 0100 0000 18000000 extent2
	02000000 0400 0000 14000000 extent3

	In the ext4_valid_extent_entries function,
	if prev is 0, no error is returned even if lblock<=prev.
	This was intended to skip the check on the first extent, but
	in the error image above, prev=0+1-1=0 when checking the second extent,
	so even though lblock<=prev, the function does not return an error.
	As a result, bug_ON occurs in __es_tree_search and the system panics.

	To solve this problem, we only need to check that:
	1. The lblock of the first extent is not less than 0.
	2. The lblock of the next extent is not less than
	the next block of the previous extent.
	The same applies to extent_idx.

	The Linux kernel CVE team has assigned CVE-2022-49409 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.4.277 with commit d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f
	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.10.121 with commit 4fd58b5cf118d2d9038a0b8c9cc0e43096297686
	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.15.46 with commit 3c617827cd51018bc377bd2954e176920ddbcfad
	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.17.14 with commit 59cf2fabbfe76de29d88dd7ae69858a25735b59f
	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.18.3 with commit ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a
	Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.19 with commit d36f6ed761b53933b0b4126486c10d3da7751e7f
	Issue introduced in 3.2.55 with commit 4645e4ee32aee01a85bdc03348982a65c65ce216
	Issue introduced in 3.4.76 with commit a1192c0e5d037def6763f3873d3340615c241fe7
	Issue introduced in 3.10.26 with commit ae21dda05193c441bde106a4bbf88c185a68fbed
	Issue introduced in 3.12.7 with commit ea214c946ee77588c4313be3e9951edd25d6b270

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49409
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ext4/extents.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f
	https://git.kernel.org/stable/c/4fd58b5cf118d2d9038a0b8c9cc0e43096297686
	https://git.kernel.org/stable/c/3c617827cd51018bc377bd2954e176920ddbcfad
	https://git.kernel.org/stable/c/59cf2fabbfe76de29d88dd7ae69858a25735b59f
	https://git.kernel.org/stable/c/ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a
	https://git.kernel.org/stable/c/d36f6ed761b53933b0b4126486c10d3da7751e7f