[linux] 07/07: ext4: validate s_first_meta_bg at mount time (CVE-2016-10208)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Mar 14 14:16:59 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 54fe5e509f7afedde815a2c3e0292ae5ea981071
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Mar 14 01:35:31 2017 +0000

    ext4: validate s_first_meta_bg at mount time (CVE-2016-10208)
---
 debian/changelog                                   |  1 +
 ...t4-validate-s_first_meta_bg-at-mount-time.patch | 65 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 67 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b5e427e..16d6533 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ linux (3.16.39-1+deb8u3) UNRELEASED; urgency=medium
   * vfs: Commit to never having executables on proc and sysfs
   * aio: mark AIO pseudo-fs noexec (CVE-2016-10044)
   * l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (CVE-2016-10200)
+  * ext4: validate s_first_meta_bg at mount time (CVE-2016-10208)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Mar 2017 23:29:39 +0000
 
diff --git a/debian/patches/bugfix/all/ext4-validate-s_first_meta_bg-at-mount-time.patch b/debian/patches/bugfix/all/ext4-validate-s_first_meta_bg-at-mount-time.patch
new file mode 100644
index 0000000..6518857
--- /dev/null
+++ b/debian/patches/bugfix/all/ext4-validate-s_first_meta_bg-at-mount-time.patch
@@ -0,0 +1,65 @@
+From: Eryu Guan <guaneryu at gmail.com>
+Date: Thu, 1 Dec 2016 15:08:37 -0500
+Subject: ext4: validate s_first_meta_bg at mount time
+Origin: https://git.kernel.org/linus/3a4b77cd47bb837b8557595ec7425f281f2ca1fe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10208
+
+Ralf Spenneberg reported that he hit a kernel crash when mounting a
+modified ext4 image. And it turns out that kernel crashed when
+calculating fs overhead (ext4_calculate_overhead()), this is because
+the image has very large s_first_meta_bg (debug code shows it's
+842150400), and ext4 overruns the memory in count_overhead() when
+setting bitmap buffer, which is PAGE_SIZE.
+
+ext4_calculate_overhead():
+  buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
+  blks = count_overhead(sb, i, buf);
+
+count_overhead():
+  for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
+          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
+          count++;
+  }
+
+This can be reproduced easily for me by this script:
+
+  #!/bin/bash
+  rm -f fs.img
+  mkdir -p /mnt/ext4
+  fallocate -l 16M fs.img
+  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
+  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
+  mount -o loop fs.img /mnt/ext4
+
+Fix it by validating s_first_meta_bg first at mount time, and
+refusing to mount if its value exceeds the largest possible meta_bg
+number.
+
+Reported-by: Ralf Spenneberg <ralf at os-t.de>
+Signed-off-by: Eryu Guan <guaneryu at gmail.com>
+Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+Reviewed-by: Andreas Dilger <adilger at dilger.ca>
+[bwh: Backported to 3.16: use EXT4_HAS_INCOMPAT_FEATURE()]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/ext4/super.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3890,6 +3890,15 @@ static int ext4_fill_super(struct super_
+ 			(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
+ 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
+ 		   EXT4_DESC_PER_BLOCK(sb);
++	if (EXT4_HAS_INCOMPAT_FEATURE(sb,EXT4_FEATURE_INCOMPAT_META_BG)) {
++		if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
++			ext4_msg(sb, KERN_WARNING,
++				 "first meta block group too large: %u "
++				 "(group descriptor block count %u)",
++				 le32_to_cpu(es->s_first_meta_bg), db_count);
++			goto failed_mount;
++		}
++	}
+ 	sbi->s_group_desc = ext4_kvmalloc(db_count *
+ 					  sizeof(struct buffer_head *),
+ 					  GFP_KERNEL);
diff --git a/debian/patches/series b/debian/patches/series
index 1b3f967..2364ac8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -710,6 +710,7 @@ bugfix/all/mnt-add-a-per-mount-namespace-limit-on-the-number-of.patch
 bugfix/all/vfs-commit-to-never-having-exectuables-on-proc-and-s.patch
 bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch
 bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch
+bugfix/all/ext4-validate-s_first_meta_bg-at-mount-time.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list