From: Theodore Ts'o tytso@mit.edu
CVE-2018-1092
If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference.
This issue has been assigned CVE-2018-1092.
https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777
Reported-by: Wen Xu wen.xu@gatech.edu Signed-off-by: Theodore Ts'o tytso@mit.edu Cc: stable@vger.kernel.org (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Khalid Elmously khalid.elmously@canonical.com --- fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 3d4d1dccc8a1..398faeff1938 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) goto bad_inode; raw_inode = ext4_raw_inode(&iloc);
+ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { + EXT4_ERROR_INODE(inode, "root inode unallocated"); + ret = -EFSCORRUPTED; + goto bad_inode; + } + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
On Mon, May 14, 2018 at 01:27:13AM -0400, Khalid Elmously wrote:
From: Theodore Ts'o tytso@mit.edu
CVE-2018-1092
If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference.
This issue has been assigned CVE-2018-1092.
https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777
Reported-by: Wen Xu wen.xu@gatech.edu Signed-off-by: Theodore Ts'o tytso@mit.edu Cc: stable@vger.kernel.org (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Khalid Elmously khalid.elmously@canonical.com
fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+)
Any specific reason you sent a patch that is already included in all of the active stable trees, to the stable mailing list?
And nice fuzzymail address :)
greg k-h
On 2018-05-14 08:17:52 , Greg KH wrote:
On Mon, May 14, 2018 at 01:27:13AM -0400, Khalid Elmously wrote:
From: Theodore Ts'o tytso@mit.edu
CVE-2018-1092
If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference.
This issue has been assigned CVE-2018-1092.
https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777
Reported-by: Wen Xu wen.xu@gatech.edu Signed-off-by: Theodore Ts'o tytso@mit.edu Cc: stable@vger.kernel.org (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Khalid Elmously khalid.elmously@canonical.com
fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+)
Any specific reason you sent a patch that is already included in all of the active stable trees, to the stable mailing list?
Well I thought why not apply the patch again for _extra_ protection?
And nice fuzzymail address :)
Thanks :)
Seriously though: I mis-used git-send-email while sending a test patch to myself and ended up CC'ing the stable ML - apologies for the spam.
greg k-h
Khalid
linux-stable-mirror@lists.linaro.org