[T/X/A/B/C][PATCH 0/1] CVE-2018-1092

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[T/X/A/B/C][PATCH 0/1] CVE-2018-1092

Khaled Elmously
Clean cherry-pick

Theodore Ts'o (1):
  ext4: fail ext4_iget for root directory if unallocated

 fs/ext4/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[T/X/A/B/C][PATCH 1/1] ext4: fail ext4_iget for root directory if unallocated

Khaled Elmously
From: Theodore Ts'o <[hidden email]>

CVE-2018-1092

If the root directory has an i_links_count of zero, then when the file
system is mounted, then when ext4_fill_super() notices the problem and
tries to call iput() the root directory in the error return path,
ext4_evict_inode() will try to free the inode on disk, before all of
the file system structures are set up, and this will result in an OOPS
caused by a NULL pointer dereference.

This issue has been assigned CVE-2018-1092.

https://bugzilla.kernel.org/show_bug.cgi?id=199179
https://bugzilla.redhat.com/show_bug.cgi?id=1560777

Reported-by: Wen Xu <[hidden email]>
Signed-off-by: Theodore Ts'o <[hidden email]>
Cc: [hidden email]
(cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 fs/ext4/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 3d4d1dccc8a1..398faeff1938 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
  goto bad_inode;
  raw_inode = ext4_raw_inode(&iloc);
 
+ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+ EXT4_ERROR_INODE(inode, "root inode unallocated");
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
+
  if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
  ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
  if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Acked] [T/X/A/B/C][PATCH 1/1] ext4: fail ext4_iget for root directory if unallocated

Andy Whitcroft-3
On Mon, May 14, 2018 at 01:41:46AM -0400, Khalid Elmously wrote:

> From: Theodore Ts'o <[hidden email]>
>
> CVE-2018-1092
>
> If the root directory has an i_links_count of zero, then when the file
> system is mounted, then when ext4_fill_super() notices the problem and
> tries to call iput() the root directory in the error return path,
> ext4_evict_inode() will try to free the inode on disk, before all of
> the file system structures are set up, and this will result in an OOPS
> caused by a NULL pointer dereference.
>
> This issue has been assigned CVE-2018-1092.
>
> https://bugzilla.kernel.org/show_bug.cgi?id=199179
> https://bugzilla.redhat.com/show_bug.cgi?id=1560777
>
> Reported-by: Wen Xu <[hidden email]>
> Signed-off-by: Theodore Ts'o <[hidden email]>
> Cc: [hidden email]
> (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
> Signed-off-by: Khalid Elmously <[hidden email]>
> ---
>  fs/ext4/inode.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 3d4d1dccc8a1..398faeff1938 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
>   goto bad_inode;
>   raw_inode = ext4_raw_inode(&iloc);
>  
> + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
> + EXT4_ERROR_INODE(inode, "root inode unallocated");
> + ret = -EFSCORRUPTED;
> + goto bad_inode;
> + }
> +
>   if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
>   ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
>   if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
> --
> 2.17.0
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Looks like a sensible early error bail.

Acked-by: Andy Whitcroft <[hidden email]>

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK[T/A/B/C]: [T/X/A/B/C][PATCH 1/1] ext4: fail ext4_iget for root directory if unallocated

Kleber Souza
In reply to this post by Khaled Elmously
On 05/14/18 07:41, Khalid Elmously wrote:

> From: Theodore Ts'o <[hidden email]>
>
> CVE-2018-1092
>
> If the root directory has an i_links_count of zero, then when the file
> system is mounted, then when ext4_fill_super() notices the problem and
> tries to call iput() the root directory in the error return path,
> ext4_evict_inode() will try to free the inode on disk, before all of
> the file system structures are set up, and this will result in an OOPS
> caused by a NULL pointer dereference.
>
> This issue has been assigned CVE-2018-1092.
>
> https://bugzilla.kernel.org/show_bug.cgi?id=199179
> https://bugzilla.redhat.com/show_bug.cgi?id=1560777
>
> Reported-by: Wen Xu <[hidden email]>
> Signed-off-by: Theodore Ts'o <[hidden email]>
> Cc: [hidden email]
> (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44)
> Signed-off-by: Khalid Elmously <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

Not needed for Xenial, since the fix has already been applied as part of
update to 4.4.129 stable release.


Thanks,
Kleber

> ---
>  fs/ext4/inode.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 3d4d1dccc8a1..398faeff1938 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
>   goto bad_inode;
>   raw_inode = ext4_raw_inode(&iloc);
>  
> + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
> + EXT4_ERROR_INODE(inode, "root inode unallocated");
> + ret = -EFSCORRUPTED;
> + goto bad_inode;
> + }
> +
>   if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
>   ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
>   if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NAK[T]: [T/X/A/B/C][PATCH 0/1] CVE-2018-1092

Po-Hsu Lin (Sam)
In reply to this post by Khaled Elmously
Although this can be cherry-picked for Trusty cleanly,
it adds an undeclared marco here "EFSCORRUPTED" and triggers build error from
the compiler:

/home/phlin/ubuntu-trusty/fs/ext4/inode.c: In function 'ext4_iget':
/home/phlin/ubuntu-trusty/fs/ext4/inode.c:4137:10: error: 'EFSCORRUPTED' undeclared (first use in this function)
   ret = -EFSCORRUPTED;
          ^
/home/phlin/ubuntu-trusty/fs/ext4/inode.c:4137:10: note: each undeclared identifier is reported only once for each function it appears in
  CC [M]  sound/pci/ice1712/maya44.o
make[4]: *** [fs/ext4/inode.o] Error 1

This was only defined for xfs in Trusty:
  phlin@tangerine:~/ubuntu-trusty$ git grep "define EFSCORRUPTED"
  fs/xfs/xfs_linux.h:#define EFSCORRUPTED EUCLEAN         /* Filesystem is corrupted */

For X/A/B, it's defined in ext4.h as well.

Thus I'm gonna put my NAK on Trusty only.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: NAK[T]: [T/X/A/B/C][PATCH 0/1] CVE-2018-1092

Khaled Elmously
On 2018-05-16 23:24:37 , Po-Hsu Lin wrote:

> Although this can be cherry-picked for Trusty cleanly,
> it adds an undeclared marco here "EFSCORRUPTED" and triggers build error from
> the compiler:
>
> /home/phlin/ubuntu-trusty/fs/ext4/inode.c: In function 'ext4_iget':
> /home/phlin/ubuntu-trusty/fs/ext4/inode.c:4137:10: error: 'EFSCORRUPTED' undeclared (first use in this function)
>    ret = -EFSCORRUPTED;
>           ^
> /home/phlin/ubuntu-trusty/fs/ext4/inode.c:4137:10: note: each undeclared identifier is reported only once for each function it appears in
>   CC [M]  sound/pci/ice1712/maya44.o
> make[4]: *** [fs/ext4/inode.o] Error 1
>
> This was only defined for xfs in Trusty:
>   phlin@tangerine:~/ubuntu-trusty$ git grep "define EFSCORRUPTED"
>   fs/xfs/xfs_linux.h:#define EFSCORRUPTED EUCLEAN         /* Filesystem is corrupted */
>
> For X/A/B, it's defined in ext4.h as well.
>
> Thus I'm gonna put my NAK on Trusty only.

Yes, good catch, thank you.

NACK for Trusty. I will send a v2 specifically for Trusty - thanks.

Khalid

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[A/B]: [T/X/A/B/C][PATCH 0/1] CVE-2018-1092

Kleber Souza
In reply to this post by Khaled Elmously
On 05/14/18 07:41, Khalid Elmously wrote:
> Clean cherry-pick
>
> Theodore Ts'o (1):
>   ext4: fail ext4_iget for root directory if unallocated
>
>  fs/ext4/inode.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>

Applied to artful/master-next and bionic/master-next branches.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team