From 31beebd5e24e1489d98b35df5b53daea962edfcc Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Fri, 31 Aug 2018 13:42:25 -0400 Subject: [PATCH] add patch avoid-arithmetic-overflow-that-can-trigger-a-BUG --- avoid-arithmetic-overflow-that-can-trigger-a-BUG | 53 ++++++++++++++++++++++++ series | 1 + timestamps | 7 ++-- 3 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 avoid-arithmetic-overflow-that-can-trigger-a-BUG diff --git a/avoid-arithmetic-overflow-that-can-trigger-a-BUG b/avoid-arithmetic-overflow-that-can-trigger-a-BUG new file mode 100644 index 00000000..9ad67f5a --- /dev/null +++ b/avoid-arithmetic-overflow-that-can-trigger-a-BUG @@ -0,0 +1,53 @@ +ext4: avoid arithemetic overflow that can trigger a BUG + +A maliciously crafted file system can cause an overflow when the +results of a 64-bit calculation is stored into a 32-bit length +parameter. + +https://bugzilla.kernel.org/show_bug.cgi?id=200623 + +Signed-off-by: Theodore Ts'o +Reported-by: Wen Xu +Cc: stable@vger.kernel.org +--- + fs/ext4/ext4.h | 3 +++ + fs/ext4/inode.c | 8 ++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 249bcee4d7b2..ac05bd86643a 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -686,6 +686,9 @@ enum { + /* Max physical block we can address w/o extents */ + #define EXT4_MAX_BLOCK_FILE_PHYS 0xFFFFFFFF + ++/* Max logical block we can support */ ++#define EXT4_MAX_LOGICAL_BLOCK 0xFFFFFFFF ++ + /* + * Structure of an inode on the disk + */ +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 8f6ad7667974..694f31364206 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3412,12 +3412,16 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length, + { + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + unsigned int blkbits = inode->i_blkbits; +- unsigned long first_block = offset >> blkbits; +- unsigned long last_block = (offset + length - 1) >> blkbits; ++ unsigned long first_block, last_block; + struct ext4_map_blocks map; + bool delalloc = false; + int ret; + ++ if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK) ++ return -EINVAL; ++ first_block = offset >> blkbits; ++ last_block = min_t(loff_t, (offset + length - 1) >> blkbits, ++ EXT4_MAX_LOGICAL_BLOCK); + + if (flags & IOMAP_REPORT) { + if (ext4_has_inline_data(inode)) { diff --git a/series b/series index 86a05872..0d2805da 100644 --- a/series +++ b/series @@ -3,6 +3,7 @@ add-nonstring-annotations-to-ext4.h check-rename-destination-is-not-freed avoid-buffer-overrun-when-deleting-inline-directories +avoid-arithmetic-overflow-that-can-trigger-a-BUG #################################################### # unstable patches diff --git a/timestamps b/timestamps index 60a312dd..79dd014c 100755 --- a/timestamps +++ b/timestamps @@ -35,7 +35,8 @@ touch -d @1531115020 add-ext4-journal-lazy-mount-option touch -d @1535346911 add-nonstring-annotations-to-ext4.h touch -d @1535348829 check-rename-destination-is-not-freed touch -d @1535376041 stable-boundary -touch -d @1535376133 series touch -d @1535376165 avoid-buffer-overrun-when-deleting-inline-directories -touch -d @1535376165 status -touch -d @1535376179 timestamps +touch -d @1535735256 series +touch -d @1535820304 avoid-arithmetic-overflow-that-can-trigger-a-BUG +touch -d @1535820305 status +touch -d @1535825270 timestamps -- 2.11.4.GIT