diff options
-rw-r--r-- | patches/cve/4.14.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | 76 |
2 files changed, 77 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index a2417c2..a0c770e 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
@@ -7,3 +7,4 @@ patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | |||
7 | #CVEs fixed in 4.14.86: | 7 | #CVEs fixed in 4.14.86: |
8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | 8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch |
9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | 9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch |
10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | ||
diff --git a/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch b/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch new file mode 100644 index 0000000..5dd853f --- /dev/null +++ b/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From f7eef132ccc95c9af50b647c5da0511d2b8492f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gu Jinxiang <gujx@cn.fujitsu.com> | ||
3 | Date: Wed, 4 Jul 2018 18:16:39 +0800 | ||
4 | Subject: [PATCH] btrfs: validate type when reading a chunk | ||
5 | |||
6 | commit 315409b0098fb2651d86553f0436b70502b29bb2 upstream. | ||
7 | |||
8 | Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199839, with an | ||
9 | image that has an invalid chunk type but does not return an error. | ||
10 | |||
11 | Add chunk type check in btrfs_check_chunk_valid, to detect the wrong | ||
12 | type combinations. | ||
13 | |||
14 | CVE: CVE-2018-14611 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839 | ||
18 | Reported-by: Xu Wen <wen.xu@gatech.edu> | ||
19 | Reviewed-by: Qu Wenruo <wqu@suse.com> | ||
20 | Signed-off-by: Gu Jinxiang <gujx@cn.fujitsu.com> | ||
21 | Signed-off-by: David Sterba <dsterba@suse.com> | ||
22 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
23 | Signed-off-by: Sasha Levin <sashal@kernel.org> | ||
24 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
25 | --- | ||
26 | fs/btrfs/volumes.c | 28 ++++++++++++++++++++++++++++ | ||
27 | 1 file changed, 28 insertions(+) | ||
28 | |||
29 | diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c | ||
30 | index a0947f4a3e87..cfd5728e7519 100644 | ||
31 | --- a/fs/btrfs/volumes.c | ||
32 | +++ b/fs/btrfs/volumes.c | ||
33 | @@ -6353,6 +6353,8 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, | ||
34 | u16 num_stripes; | ||
35 | u16 sub_stripes; | ||
36 | u64 type; | ||
37 | + u64 features; | ||
38 | + bool mixed = false; | ||
39 | |||
40 | length = btrfs_chunk_length(leaf, chunk); | ||
41 | stripe_len = btrfs_chunk_stripe_len(leaf, chunk); | ||
42 | @@ -6391,6 +6393,32 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, | ||
43 | btrfs_chunk_type(leaf, chunk)); | ||
44 | return -EIO; | ||
45 | } | ||
46 | + | ||
47 | + if ((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0) { | ||
48 | + btrfs_err(fs_info, "missing chunk type flag: 0x%llx", type); | ||
49 | + return -EIO; | ||
50 | + } | ||
51 | + | ||
52 | + if ((type & BTRFS_BLOCK_GROUP_SYSTEM) && | ||
53 | + (type & (BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA))) { | ||
54 | + btrfs_err(fs_info, | ||
55 | + "system chunk with data or metadata type: 0x%llx", type); | ||
56 | + return -EIO; | ||
57 | + } | ||
58 | + | ||
59 | + features = btrfs_super_incompat_flags(fs_info->super_copy); | ||
60 | + if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS) | ||
61 | + mixed = true; | ||
62 | + | ||
63 | + if (!mixed) { | ||
64 | + if ((type & BTRFS_BLOCK_GROUP_METADATA) && | ||
65 | + (type & BTRFS_BLOCK_GROUP_DATA)) { | ||
66 | + btrfs_err(fs_info, | ||
67 | + "mixed chunk type in non-mixed mode: 0x%llx", type); | ||
68 | + return -EIO; | ||
69 | + } | ||
70 | + } | ||
71 | + | ||
72 | if ((type & BTRFS_BLOCK_GROUP_RAID10 && sub_stripes != 2) || | ||
73 | (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes < 1) || | ||
74 | (type & BTRFS_BLOCK_GROUP_RAID5 && num_stripes < 2) || | ||
75 | -- | ||
76 | 2.19.2 \ No newline at end of file | ||