Commit 592acbf1 authored by Sriram Rajagopalan's avatar Sriram Rajagopalan Committed by Theodore Ts'o
Browse files

ext4: zero out the unused memory region in the extent tree block 



This commit zeroes out the unused memory region in the buffer_head
corresponding to the extent metablock after writing the extent header
and the corresponding extent node entries.

This is done to prevent random uninitialized data from getting into
the filesystem when the extent block is synced.

This fixes CVE-2019-11833.

Signed-off-by: default avatarSriram Rajagopalan <sriramr@arista.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
parent db90f419

fs/ext4/extents.c

+15 −2
Original line number Diff line number Diff line
@@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, 
	__le32 border;

	ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */

	int err = 0;

	size_t ext_size = 0;



	/* make decision: where to split? */

	/* FIXME: now decision is simplest: at current extent */
@@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, 
		le16_add_cpu(&neh->eh_entries, m);

	}



	/* zero out unused area in the extent block */

	ext_size = sizeof(struct ext4_extent_header) +

		sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);

	memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);

	ext4_extent_block_csum_set(inode, neh);

	set_buffer_uptodate(bh);

	unlock_buffer(bh);
@@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, 
				sizeof(struct ext4_extent_idx) * m);

			le16_add_cpu(&neh->eh_entries, m);

		}

		/* zero out unused area in the extent block */

		ext_size = sizeof(struct ext4_extent_header) +

		   (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));

		memset(bh->b_data + ext_size, 0,

			inode->i_sb->s_blocksize - ext_size);

		ext4_extent_block_csum_set(inode, neh);

		set_buffer_uptodate(bh);

		unlock_buffer(bh);
@@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, 
	ext4_fsblk_t newblock, goal = 0;

	struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;

	int err = 0;

	size_t ext_size = 0;



	/* Try to prepend new index to old one */

	if (ext_depth(inode))
@@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, 
		goto out;

	}



	ext_size = sizeof(EXT4_I(inode)->i_data);

	/* move top-level index/leaf into new block */

	memmove(bh->b_data, EXT4_I(inode)->i_data,

		sizeof(EXT4_I(inode)->i_data));

	memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);

	/* zero out unused area in the extent block */

	memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);



	/* set size of new block */

	neh = ext_block_hdr(bh);

CRA Git | Maintained and supported by SUSTech CRA and CCSE