diff options
Diffstat (limited to 'debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch')
-rw-r--r-- | debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch b/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch new file mode 100644 index 000000000000..5a509ea4986f --- /dev/null +++ b/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch @@ -0,0 +1,63 @@ +From: Theodore Ts'o <tytso@mit.edu> +Date: Sun, 17 Jun 2018 00:41:14 -0400 +Subject: ext4: add more inode number paranoia checks +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=a0b4bd6c4418a8d2ba51f27968f5af005e5dbbdd +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10882 + +If there is a directory entry pointing to a system inode (such as a +journal inode), complain and declare the file system to be corrupted. + +Also, if the superblock's first inode number field is too small, +refuse to mount the file system. + +This addresses CVE-2018-10882. + +https://bugzilla.kernel.org/show_bug.cgi?id=200069 + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/ext4.h | 5 ----- + fs/ext4/inode.c | 3 ++- + fs/ext4/super.c | 5 +++++ + 3 files changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1501,11 +1501,6 @@ static inline struct ext4_inode_info *EX + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +- ino == EXT4_USR_QUOTA_INO || +- ino == EXT4_GRP_QUOTA_INO || +- ino == EXT4_BOOT_LOADER_INO || +- ino == EXT4_JOURNAL_INO || +- ino == EXT4_RESIZE_INO || + (ino >= EXT4_FIRST_INO(sb) && + ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); + } +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4506,7 +4506,8 @@ static int __ext4_get_inode_loc(struct i + int inodes_per_block, inode_offset; + + iloc->bh = NULL; +- if (!ext4_valid_inum(sb, inode->i_ino)) ++ if (inode->i_ino < EXT4_ROOT_INO || ++ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) + return -EFSCORRUPTED; + + iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3817,6 +3817,11 @@ static int ext4_fill_super(struct super_ + } else { + sbi->s_inode_size = le16_to_cpu(es->s_inode_size); + sbi->s_first_ino = le32_to_cpu(es->s_first_ino); ++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { ++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", ++ sbi->s_first_ino); ++ goto failed_mount; ++ } + if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || + (!is_power_of_2(sbi->s_inode_size)) || + (sbi->s_inode_size > blocksize)) { |