diff options
Diffstat (limited to 'patches/cve')
-rw-r--r-- | patches/cve/4.14.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | 89 |
2 files changed, 90 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index b459173..a2417c2 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
@@ -6,3 +6,4 @@ patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch | |||
6 | patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | 6 | patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch |
7 | #CVEs fixed in 4.14.86: | 7 | #CVEs fixed in 4.14.86: |
8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | 8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch |
9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | ||
diff --git a/patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch b/patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch new file mode 100644 index 0000000..c4afc0d --- /dev/null +++ b/patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From 34407a175a59b668a1a2bbf0d0e495d87a7777d8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Qu Wenruo <wqu@suse.com> | ||
3 | Date: Wed, 1 Aug 2018 10:37:16 +0800 | ||
4 | Subject: [PATCH] btrfs: Check that each block group has corresponding chunk at | ||
5 | mount time | ||
6 | |||
7 | commit 514c7dca85a0bf40be984dab0b477403a6db901f upstream. | ||
8 | |||
9 | A crafted btrfs image with incorrect chunk<->block group mapping will | ||
10 | trigger a lot of unexpected things as the mapping is essential. | ||
11 | |||
12 | Although the problem can be caught by block group item checker | ||
13 | added in "btrfs: tree-checker: Verify block_group_item", it's still not | ||
14 | sufficient. A sufficiently valid block group item can pass the check | ||
15 | added by the mentioned patch but could fail to match the existing chunk. | ||
16 | |||
17 | This patch will add extra block group -> chunk mapping check, to ensure | ||
18 | we have a completely matching (start, len, flags) chunk for each block | ||
19 | group at mount time. | ||
20 | |||
21 | Here we reuse the original helper find_first_block_group(), which is | ||
22 | already doing the basic bg -> chunk checks, adding further checks of the | ||
23 | start/len and type flags. | ||
24 | |||
25 | CVE: CVE-2018-14610 | ||
26 | Upstream-Status: Backport | ||
27 | |||
28 | Link: https://bugzilla.kernel.org/show_bug.cgi?id=199837 | ||
29 | Reported-by: Xu Wen <wen.xu@gatech.edu> | ||
30 | Signed-off-by: Qu Wenruo <wqu@suse.com> | ||
31 | Reviewed-by: Su Yue <suy.fnst@cn.fujitsu.com> | ||
32 | Reviewed-by: David Sterba <dsterba@suse.com> | ||
33 | Signed-off-by: David Sterba <dsterba@suse.com> | ||
34 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
35 | Signed-off-by: Sasha Levin <sashal@kernel.org> | ||
36 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
37 | --- | ||
38 | fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++++++- | ||
39 | 1 file changed, 27 insertions(+), 1 deletion(-) | ||
40 | |||
41 | diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c | ||
42 | index fdc42eddccc2..83791d13c204 100644 | ||
43 | --- a/fs/btrfs/extent-tree.c | ||
44 | +++ b/fs/btrfs/extent-tree.c | ||
45 | @@ -9828,6 +9828,8 @@ static int find_first_block_group(struct btrfs_fs_info *fs_info, | ||
46 | int ret = 0; | ||
47 | struct btrfs_key found_key; | ||
48 | struct extent_buffer *leaf; | ||
49 | + struct btrfs_block_group_item bg; | ||
50 | + u64 flags; | ||
51 | int slot; | ||
52 | |||
53 | ret = btrfs_search_slot(NULL, root, key, path, 0, 0); | ||
54 | @@ -9862,8 +9864,32 @@ static int find_first_block_group(struct btrfs_fs_info *fs_info, | ||
55 | "logical %llu len %llu found bg but no related chunk", | ||
56 | found_key.objectid, found_key.offset); | ||
57 | ret = -ENOENT; | ||
58 | + } else if (em->start != found_key.objectid || | ||
59 | + em->len != found_key.offset) { | ||
60 | + btrfs_err(fs_info, | ||
61 | + "block group %llu len %llu mismatch with chunk %llu len %llu", | ||
62 | + found_key.objectid, found_key.offset, | ||
63 | + em->start, em->len); | ||
64 | + ret = -EUCLEAN; | ||
65 | } else { | ||
66 | - ret = 0; | ||
67 | + read_extent_buffer(leaf, &bg, | ||
68 | + btrfs_item_ptr_offset(leaf, slot), | ||
69 | + sizeof(bg)); | ||
70 | + flags = btrfs_block_group_flags(&bg) & | ||
71 | + BTRFS_BLOCK_GROUP_TYPE_MASK; | ||
72 | + | ||
73 | + if (flags != (em->map_lookup->type & | ||
74 | + BTRFS_BLOCK_GROUP_TYPE_MASK)) { | ||
75 | + btrfs_err(fs_info, | ||
76 | +"block group %llu len %llu type flags 0x%llx mismatch with chunk type flags 0x%llx", | ||
77 | + found_key.objectid, | ||
78 | + found_key.offset, flags, | ||
79 | + (BTRFS_BLOCK_GROUP_TYPE_MASK & | ||
80 | + em->map_lookup->type)); | ||
81 | + ret = -EUCLEAN; | ||
82 | + } else { | ||
83 | + ret = 0; | ||
84 | + } | ||
85 | } | ||
86 | free_extent_map(em); | ||
87 | goto out; | ||
88 | -- | ||
89 | 2.19.2 \ No newline at end of file | ||