diff options
Diffstat (limited to 'patches/cve')
-rw-r--r-- | patches/cve/4.14.x.scc | 2 | ||||
-rw-r--r-- | patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | 148 |
2 files changed, 150 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index 26e55cf..b459173 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
@@ -4,3 +4,5 @@ patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch | |||
4 | patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch | 4 | patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch |
5 | #CVEs fixed in 4.14.75: | 5 | #CVEs fixed in 4.14.75: |
6 | patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | 6 | patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch |
7 | #CVEs fixed in 4.14.86: | ||
8 | patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | ||
diff --git a/patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch b/patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch new file mode 100644 index 0000000..772adcd --- /dev/null +++ b/patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From 73711ba024896a2ffe4f81601dea8d8ba0085e04 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Fri, 25 Jan 2019 12:44:48 +0000 | ||
4 | Subject: [PATCH] f2fs: fix to do sanity check with user_block_count | ||
5 | |||
6 | commit 9dc956b2c8523aed39d1e6508438be9fea28c8fc upstream. | ||
7 | |||
8 | This patch fixs to do sanity check with user_block_count. | ||
9 | |||
10 | - Overview | ||
11 | Divide zero in utilization when mount() a corrupted f2fs image | ||
12 | |||
13 | - Reproduce (4.18 upstream kernel) | ||
14 | |||
15 | - Kernel message | ||
16 | [ 564.099503] F2FS-fs (loop0): invalid crc value | ||
17 | [ 564.101991] divide error: 0000 [#1] SMP KASAN PTI | ||
18 | [ 564.103103] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Not tainted 4.18.0-rc1+ #4 | ||
19 | [ 564.104584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 | ||
20 | [ 564.106624] RIP: 0010:issue_discard_thread+0x248/0x5c0 | ||
21 | [ 564.107692] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86 | ||
22 | [ 564.111686] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206 | ||
23 | [ 564.112775] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03 | ||
24 | [ 564.114250] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850 | ||
25 | [ 564.115706] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0 | ||
26 | [ 564.117177] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc | ||
27 | [ 564.118634] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000 | ||
28 | [ 564.120094] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 | ||
29 | [ 564.121748] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | ||
30 | [ 564.122923] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0 | ||
31 | [ 564.124383] Call Trace: | ||
32 | [ 564.124924] ? __issue_discard_cmd+0x480/0x480 | ||
33 | [ 564.125882] ? __sched_text_start+0x8/0x8 | ||
34 | [ 564.126756] ? __kthread_parkme+0xcb/0x100 | ||
35 | [ 564.127620] ? kthread_blkcg+0x70/0x70 | ||
36 | [ 564.128412] kthread+0x180/0x1d0 | ||
37 | [ 564.129105] ? __issue_discard_cmd+0x480/0x480 | ||
38 | [ 564.130029] ? kthread_associate_blkcg+0x150/0x150 | ||
39 | [ 564.131033] ret_from_fork+0x35/0x40 | ||
40 | [ 564.131794] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy | ||
41 | [ 564.141798] ---[ end trace 4ce02f25ff7d3df5 ]--- | ||
42 | [ 564.142773] RIP: 0010:issue_discard_thread+0x248/0x5c0 | ||
43 | [ 564.143885] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86 | ||
44 | [ 564.147776] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206 | ||
45 | [ 564.148856] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03 | ||
46 | [ 564.150424] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850 | ||
47 | [ 564.151906] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0 | ||
48 | [ 564.153463] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc | ||
49 | [ 564.154915] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000 | ||
50 | [ 564.156405] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 | ||
51 | [ 564.158070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | ||
52 | [ 564.159279] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0 | ||
53 | [ 564.161043] ================================================================== | ||
54 | [ 564.162587] BUG: KASAN: stack-out-of-bounds in from_kuid_munged+0x1d/0x50 | ||
55 | [ 564.163994] Read of size 4 at addr ffff8801f3117c84 by task f2fs_discard-7:/1298 | ||
56 | |||
57 | [ 564.165852] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Tainted: G D 4.18.0-rc1+ #4 | ||
58 | [ 564.167593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 | ||
59 | [ 564.169522] Call Trace: | ||
60 | [ 564.170057] dump_stack+0x7b/0xb5 | ||
61 | [ 564.170778] print_address_description+0x70/0x290 | ||
62 | [ 564.171765] kasan_report+0x291/0x390 | ||
63 | [ 564.172540] ? from_kuid_munged+0x1d/0x50 | ||
64 | [ 564.173408] __asan_load4+0x78/0x80 | ||
65 | [ 564.174148] from_kuid_munged+0x1d/0x50 | ||
66 | [ 564.174962] do_notify_parent+0x1f5/0x4f0 | ||
67 | [ 564.175808] ? send_sigqueue+0x390/0x390 | ||
68 | [ 564.176639] ? css_set_move_task+0x152/0x340 | ||
69 | [ 564.184197] do_exit+0x1290/0x1390 | ||
70 | [ 564.184950] ? __issue_discard_cmd+0x480/0x480 | ||
71 | [ 564.185884] ? mm_update_next_owner+0x380/0x380 | ||
72 | [ 564.186829] ? __sched_text_start+0x8/0x8 | ||
73 | [ 564.187672] ? __kthread_parkme+0xcb/0x100 | ||
74 | [ 564.188528] ? kthread_blkcg+0x70/0x70 | ||
75 | [ 564.189333] ? kthread+0x180/0x1d0 | ||
76 | [ 564.190052] ? __issue_discard_cmd+0x480/0x480 | ||
77 | [ 564.190983] rewind_stack_do_exit+0x17/0x20 | ||
78 | |||
79 | [ 564.192190] The buggy address belongs to the page: | ||
80 | [ 564.193213] page:ffffea0007cc45c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 | ||
81 | [ 564.194856] flags: 0x2ffff0000000000() | ||
82 | [ 564.195644] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000 | ||
83 | [ 564.197247] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 | ||
84 | [ 564.198826] page dumped because: kasan: bad access detected | ||
85 | |||
86 | [ 564.200299] Memory state around the buggy address: | ||
87 | [ 564.201306] ffff8801f3117b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
88 | [ 564.202779] ffff8801f3117c00: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 | ||
89 | [ 564.204252] >ffff8801f3117c80: f3 f3 f3 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 | ||
90 | [ 564.205742] ^ | ||
91 | [ 564.206424] ffff8801f3117d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
92 | [ 564.207908] ffff8801f3117d80: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 | ||
93 | [ 564.209389] ================================================================== | ||
94 | [ 564.231795] F2FS-fs (loop0): Mounted with checkpoint version = 2 | ||
95 | |||
96 | - Location | ||
97 | https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L586 | ||
98 | return div_u64((u64)valid_user_blocks(sbi) * 100, | ||
99 | sbi->user_block_count); | ||
100 | Missing checks on sbi->user_block_count. | ||
101 | |||
102 | CVE: CVE-2018-13097 | ||
103 | Upstream-Status: Backport | ||
104 | |||
105 | Reported-by: Wen Xu <wen.xu@gatech.edu> | ||
106 | Signed-off-by: Chao Yu <yuchao0@huawei.com> | ||
107 | Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> | ||
108 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
109 | Signed-off-by: Sasha Levin <sashal@kernel.org> | ||
110 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
111 | --- | ||
112 | fs/f2fs/super.c | 13 +++++++++++++ | ||
113 | 1 file changed, 13 insertions(+) | ||
114 | |||
115 | diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c | ||
116 | index 400c00058bad..75af507273a4 100644 | ||
117 | --- a/fs/f2fs/super.c | ||
118 | +++ b/fs/f2fs/super.c | ||
119 | @@ -1883,6 +1883,9 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) | ||
120 | struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); | ||
121 | unsigned int ovp_segments, reserved_segments; | ||
122 | unsigned int main_segs, blocks_per_seg; | ||
123 | + unsigned int log_blocks_per_seg; | ||
124 | + unsigned int segment_count_main; | ||
125 | + block_t user_block_count; | ||
126 | int i; | ||
127 | |||
128 | total = le32_to_cpu(raw_super->segment_count); | ||
129 | @@ -1905,6 +1908,16 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) | ||
130 | return 1; | ||
131 | } | ||
132 | |||
133 | + user_block_count = le64_to_cpu(ckpt->user_block_count); | ||
134 | + segment_count_main = le32_to_cpu(raw_super->segment_count_main); | ||
135 | + log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); | ||
136 | + if (!user_block_count || user_block_count >= | ||
137 | + segment_count_main << log_blocks_per_seg) { | ||
138 | + f2fs_msg(sbi->sb, KERN_ERR, | ||
139 | + "Wrong user_block_count: %u", user_block_count); | ||
140 | + return 1; | ||
141 | + } | ||
142 | + | ||
143 | main_segs = le32_to_cpu(raw_super->segment_count_main); | ||
144 | blocks_per_seg = sbi->blocks_per_seg; | ||
145 | |||
146 | -- | ||
147 | 2.19.2 | ||
148 | |||