46 lines
1.3 KiB
Diff
46 lines
1.3 KiB
Diff
|
From: Theodore Ts'o <tytso@mit.edu>
|
||
|
Date: Thu, 14 Jun 2018 12:55:10 -0400
|
||
|
Subject: ext4: verify the depth of extent tree in ext4_find_extent()
|
||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=0a8173832987f52ab6926dbdf1cd3991ca615000
|
||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10877
|
||
|
|
||
|
If there is a corupted file system where the claimed depth of the
|
||
|
extent tree is -1, this can cause a massive buffer overrun leading to
|
||
|
sadness.
|
||
|
|
||
|
This addresses CVE-2018-10877.
|
||
|
|
||
|
https://bugzilla.kernel.org/show_bug.cgi?id=199417
|
||
|
|
||
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||
|
---
|
||
|
fs/ext4/ext4_extents.h | 1 +
|
||
|
fs/ext4/extents.c | 6 ++++++
|
||
|
2 files changed, 7 insertions(+)
|
||
|
|
||
|
--- a/fs/ext4/ext4_extents.h
|
||
|
+++ b/fs/ext4/ext4_extents.h
|
||
|
@@ -91,6 +91,7 @@ struct ext4_extent_header {
|
||
|
};
|
||
|
|
||
|
#define EXT4_EXT_MAGIC cpu_to_le16(0xf30a)
|
||
|
+#define EXT4_MAX_EXTENT_DEPTH 5
|
||
|
|
||
|
#define EXT4_EXTENT_TAIL_OFFSET(hdr) \
|
||
|
(sizeof(struct ext4_extent_header) + \
|
||
|
--- a/fs/ext4/extents.c
|
||
|
+++ b/fs/ext4/extents.c
|
||
|
@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ex
|
||
|
|
||
|
eh = ext_inode_hdr(inode);
|
||
|
depth = ext_depth(inode);
|
||
|
+ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
|
||
|
+ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
|
||
|
+ depth);
|
||
|
+ ret = -EFSCORRUPTED;
|
||
|
+ goto err;
|
||
|
+ }
|
||
|
|
||
|
if (path) {
|
||
|
ext4_ext_drop_refs(path);
|