Commit 7dac4a17 authored by Theodore Ts'o's avatar Theodore Ts'o
Browse files

ext4: add validity checks for bitmap block numbers 

An privileged attacker can cause a crash by mounting a crafted ext4
image which triggers a out-of-bounds read in the function
ext4_valid_block_bitmap() in fs/ext4/balloc.c.

This issue has been assigned CVE-2018-1093.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782


Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
parent dcae058a

fs/ext4/balloc.c

+14 −2
Original line number Diff line number Diff line
@@ -338,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb, 
	/* check whether block bitmap block number is set */

	blk = ext4_block_bitmap(sb, desc);

	offset = blk - group_first_block;

	if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))

	if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||

	    !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))

		/* bad block bitmap */

		return blk;



	/* check whether the inode bitmap block number is set */

	blk = ext4_inode_bitmap(sb, desc);

	offset = blk - group_first_block;

	if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))

	if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||

	    !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))

		/* bad block bitmap */

		return blk;



	/* check whether the inode table block number is set */

	blk = ext4_inode_table(sb, desc);

	offset = blk - group_first_block;

	if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||

	    EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)

		return blk;

	next_zero_bit = ext4_find_next_zero_bit(bh->b_data,

			EXT4_B2C(sbi, offset + sbi->s_itb_per_group),

			EXT4_B2C(sbi, offset));
@@ -417,6 +422,7 @@ struct buffer_head * 
ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)

{

	struct ext4_group_desc *desc;

	struct ext4_sb_info *sbi = EXT4_SB(sb);

	struct buffer_head *bh;

	ext4_fsblk_t bitmap_blk;

	int err;
@@ -425,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) 
	if (!desc)

		return ERR_PTR(-EFSCORRUPTED);

	bitmap_blk = ext4_block_bitmap(sb, desc);

	if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||

	    (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {

		ext4_error(sb, "Invalid block bitmap block %llu in "

			   "block_group %u", bitmap_blk, block_group);

		return ERR_PTR(-EFSCORRUPTED);

	}

	bh = sb_getblk(sb, bitmap_blk);

	if (unlikely(!bh)) {

		ext4_error(sb, "Cannot get buffer for block bitmap - "

fs/ext4/ialloc.c

+7 −0
Original line number Diff line number Diff line
@@ -122,6 +122,7 @@ static struct buffer_head * 
ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)

{

	struct ext4_group_desc *desc;

	struct ext4_sb_info *sbi = EXT4_SB(sb);

	struct buffer_head *bh = NULL;

	ext4_fsblk_t bitmap_blk;

	int err;
@@ -131,6 +132,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) 
		return ERR_PTR(-EFSCORRUPTED);



	bitmap_blk = ext4_inode_bitmap(sb, desc);

	if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||

	    (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {

		ext4_error(sb, "Invalid inode bitmap blk %llu in "

			   "block_group %u", bitmap_blk, block_group);

		return ERR_PTR(-EFSCORRUPTED);

	}

	bh = sb_getblk(sb, bitmap_blk);

	if (unlikely(!bh)) {

		ext4_error(sb, "Cannot read inode bitmap - "

CRA Git | Maintained and supported by SUSTech CRA and CCSE