From: Eric Biggers ebiggers@google.com
ext4 isn't validating the sizes of xattrs. This is problematic because ->e_value_size is a u32, but ext4_xattr_get() returns an int. A very large size is misinterpreted as an error code, which ext4_get_acl() translates into a bogus ERR_PTR() for which IS_ERR() returns false, causing a crash.
Fix this by validating that all xattrs are <= INT_MAX bytes. Also add explicit checks in ext4_xattr_block_get() and ext4_xattr_ibody_get() just in case the xattr block is corrupted in memory.
This issue has been assigned CVE-2018-1095.
https://bugzilla.kernel.org/show_bug.cgi?id=199185 https://bugzilla.redhat.com/show_bug.cgi?id=1560793
Reported-by: Wen Xu wen.xu@gatech.edu Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Theodore Ts'o tytso@mit.edu Cc: stable@vger.kernel.org --- fs/ext4/xattr.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 63656dbafdc4..fea1108c3bea 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -201,6 +201,9 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end, u32 size = le32_to_cpu(entry->e_value_size); void *value;
+ if (size > INT_MAX) + return -EFSCORRUPTED; + /* * The value cannot overlap the names, and the value * with padding cannot extend beyond 'end'. Check both @@ -523,8 +526,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name, if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); + error = -ERANGE; + if (unlikely(size > INT_MAX)) + goto cleanup; if (buffer) { - error = -ERANGE; if (size > buffer_size) goto cleanup; if (entry->e_value_inum) { @@ -572,8 +577,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); + error = -ERANGE; + if (unlikely(size > INT_MAX)) + goto cleanup; if (buffer) { - error = -ERANGE; if (size > buffer_size) goto cleanup; if (entry->e_value_inum) {
On Mar 29, 2018, at 3:46 PM, Theodore Ts'o tytso@mit.edu wrote:
From: Eric Biggers ebiggers@google.com
ext4 isn't validating the sizes of xattrs. This is problematic because ->e_value_size is a u32, but ext4_xattr_get() returns an int. A very large size is misinterpreted as an error code, which ext4_get_acl() translates into a bogus ERR_PTR() for which IS_ERR() returns false, causing a crash.
Fix this by validating that all xattrs are <= INT_MAX bytes. Also add explicit checks in ext4_xattr_block_get() and ext4_xattr_ibody_get() just in case the xattr block is corrupted in memory.
This issue has been assigned CVE-2018-1095.
https://bugzilla.kernel.org/show_bug.cgi?id=199185 https://bugzilla.redhat.com/show_bug.cgi?id=1560793
Reported-by: Wen Xu wen.xu@gatech.edu Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Theodore Ts'o tytso@mit.edu
Reviewed-by: Andreas Dilger adilger@dilger.ca
Cc: stable@vger.kernel.org
fs/ext4/xattr.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 63656dbafdc4..fea1108c3bea 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -201,6 +201,9 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end, u32 size = le32_to_cpu(entry->e_value_size); void *value;
if (size > INT_MAX)return -EFSCORRUPTED;/* * The value cannot overlap the names, and the value * with padding cannot extend beyond 'end'. Check both@@ -523,8 +526,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name, if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size);
- error = -ERANGE;
- if (unlikely(size > INT_MAX))
goto cleanup;
error = -ERANGE;@@ -572,8 +577,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size);
- error = -ERANGE;
- if (unlikely(size > INT_MAX))
goto cleanup;
error = -ERANGE;-- 2.16.1.72.g5be1f00a9a
Cheers, Andreas
linux-stable-mirror@lists.linaro.org
-
Andreas Dilger -
Theodore Ts'o