diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 13:09:06 +0100 |
|---|---|---|
| committer | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 13:09:06 +0100 |
| commit | 2dd517f18177313eb97548e51923e004c1a5e186 (patch) | |
| tree | fe4bca97d492d824c3296cb3fb7907d2d9dbf7c9 | |
| parent | 91001769cd33366d0d04b39df5888b48060318b1 (diff) | |
| download | enea-kernel-cache-2dd517f18177313eb97548e51923e004c1a5e186.tar.gz | |
btrfs: CVE-2018-14611
btrfs: validate type when reading a chunk
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14611
https://patchwork.kernel.org/patch/10503099/
Change-Id: I892a65be63996fa779c948eff3d6583ceb02013d
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.14.x.scc | 1 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | 76 |
2 files changed, 77 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index a2417c2..a0c770e 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
| @@ -7,3 +7,4 @@ patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | |||
| 7 | #CVEs fixed in 4.14.86: | 7 | #CVEs fixed in 4.14.86: |
| 8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | 8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch |
| 9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | 9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch |
| 10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | ||
diff --git a/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch b/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch new file mode 100644 index 0000000..5dd853f --- /dev/null +++ b/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | |||
| @@ -0,0 +1,76 @@ | |||
| 1 | From f7eef132ccc95c9af50b647c5da0511d2b8492f8 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gu Jinxiang <gujx@cn.fujitsu.com> | ||
| 3 | Date: Wed, 4 Jul 2018 18:16:39 +0800 | ||
| 4 | Subject: [PATCH] btrfs: validate type when reading a chunk | ||
| 5 | |||
| 6 | commit 315409b0098fb2651d86553f0436b70502b29bb2 upstream. | ||
| 7 | |||
| 8 | Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199839, with an | ||
| 9 | image that has an invalid chunk type but does not return an error. | ||
| 10 | |||
| 11 | Add chunk type check in btrfs_check_chunk_valid, to detect the wrong | ||
| 12 | type combinations. | ||
| 13 | |||
| 14 | CVE: CVE-2018-14611 | ||
| 15 | Upstream-Status: Backport | ||
| 16 | |||
| 17 | Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839 | ||
| 18 | Reported-by: Xu Wen <wen.xu@gatech.edu> | ||
| 19 | Reviewed-by: Qu Wenruo <wqu@suse.com> | ||
| 20 | Signed-off-by: Gu Jinxiang <gujx@cn.fujitsu.com> | ||
| 21 | Signed-off-by: David Sterba <dsterba@suse.com> | ||
| 22 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
| 23 | Signed-off-by: Sasha Levin <sashal@kernel.org> | ||
| 24 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 25 | --- | ||
| 26 | fs/btrfs/volumes.c | 28 ++++++++++++++++++++++++++++ | ||
| 27 | 1 file changed, 28 insertions(+) | ||
| 28 | |||
| 29 | diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c | ||
| 30 | index a0947f4a3e87..cfd5728e7519 100644 | ||
| 31 | --- a/fs/btrfs/volumes.c | ||
| 32 | +++ b/fs/btrfs/volumes.c | ||
| 33 | @@ -6353,6 +6353,8 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, | ||
| 34 | u16 num_stripes; | ||
| 35 | u16 sub_stripes; | ||
| 36 | u64 type; | ||
| 37 | + u64 features; | ||
| 38 | + bool mixed = false; | ||
| 39 | |||
| 40 | length = btrfs_chunk_length(leaf, chunk); | ||
| 41 | stripe_len = btrfs_chunk_stripe_len(leaf, chunk); | ||
| 42 | @@ -6391,6 +6393,32 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, | ||
| 43 | btrfs_chunk_type(leaf, chunk)); | ||
| 44 | return -EIO; | ||
| 45 | } | ||
| 46 | + | ||
| 47 | + if ((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0) { | ||
| 48 | + btrfs_err(fs_info, "missing chunk type flag: 0x%llx", type); | ||
| 49 | + return -EIO; | ||
| 50 | + } | ||
| 51 | + | ||
| 52 | + if ((type & BTRFS_BLOCK_GROUP_SYSTEM) && | ||
| 53 | + (type & (BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA))) { | ||
| 54 | + btrfs_err(fs_info, | ||
| 55 | + "system chunk with data or metadata type: 0x%llx", type); | ||
| 56 | + return -EIO; | ||
| 57 | + } | ||
| 58 | + | ||
| 59 | + features = btrfs_super_incompat_flags(fs_info->super_copy); | ||
| 60 | + if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS) | ||
| 61 | + mixed = true; | ||
| 62 | + | ||
| 63 | + if (!mixed) { | ||
| 64 | + if ((type & BTRFS_BLOCK_GROUP_METADATA) && | ||
| 65 | + (type & BTRFS_BLOCK_GROUP_DATA)) { | ||
| 66 | + btrfs_err(fs_info, | ||
| 67 | + "mixed chunk type in non-mixed mode: 0x%llx", type); | ||
| 68 | + return -EIO; | ||
| 69 | + } | ||
| 70 | + } | ||
| 71 | + | ||
| 72 | if ((type & BTRFS_BLOCK_GROUP_RAID10 && sub_stripes != 2) || | ||
| 73 | (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes < 1) || | ||
| 74 | (type & BTRFS_BLOCK_GROUP_RAID5 && num_stripes < 2) || | ||
| 75 | -- | ||
| 76 | 2.19.2 \ No newline at end of file | ||