From 2dd517f18177313eb97548e51923e004c1a5e186 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Mon, 4 Feb 2019 13:09:06 +0100 Subject: btrfs: CVE-2018-14611 btrfs: validate type when reading a chunk References: https://nvd.nist.gov/vuln/detail/CVE-2018-14611 https://patchwork.kernel.org/patch/10503099/ Change-Id: I892a65be63996fa779c948eff3d6583ceb02013d Signed-off-by: Andreas Wellving --- patches/cve/4.14.x.scc | 1 + ...-btrfs-validate-type-when-reading-a-chunk.patch | 76 ++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index a2417c2..a0c770e 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc @@ -7,3 +7,4 @@ patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch #CVEs fixed in 4.14.86: patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch +patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch diff --git a/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch b/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch new file mode 100644 index 0000000..5dd853f --- /dev/null +++ b/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch @@ -0,0 +1,76 @@ +From f7eef132ccc95c9af50b647c5da0511d2b8492f8 Mon Sep 17 00:00:00 2001 +From: Gu Jinxiang +Date: Wed, 4 Jul 2018 18:16:39 +0800 +Subject: [PATCH] btrfs: validate type when reading a chunk + +commit 315409b0098fb2651d86553f0436b70502b29bb2 upstream. + +Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199839, with an +image that has an invalid chunk type but does not return an error. + +Add chunk type check in btrfs_check_chunk_valid, to detect the wrong +type combinations. + +CVE: CVE-2018-14611 +Upstream-Status: Backport + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839 +Reported-by: Xu Wen +Reviewed-by: Qu Wenruo +Signed-off-by: Gu Jinxiang +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +Signed-off-by: Andreas Wellving +--- + fs/btrfs/volumes.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index a0947f4a3e87..cfd5728e7519 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6353,6 +6353,8 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, + u16 num_stripes; + u16 sub_stripes; + u64 type; ++ u64 features; ++ bool mixed = false; + + length = btrfs_chunk_length(leaf, chunk); + stripe_len = btrfs_chunk_stripe_len(leaf, chunk); +@@ -6391,6 +6393,32 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, + btrfs_chunk_type(leaf, chunk)); + return -EIO; + } ++ ++ if ((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0) { ++ btrfs_err(fs_info, "missing chunk type flag: 0x%llx", type); ++ return -EIO; ++ } ++ ++ if ((type & BTRFS_BLOCK_GROUP_SYSTEM) && ++ (type & (BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA))) { ++ btrfs_err(fs_info, ++ "system chunk with data or metadata type: 0x%llx", type); ++ return -EIO; ++ } ++ ++ features = btrfs_super_incompat_flags(fs_info->super_copy); ++ if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS) ++ mixed = true; ++ ++ if (!mixed) { ++ if ((type & BTRFS_BLOCK_GROUP_METADATA) && ++ (type & BTRFS_BLOCK_GROUP_DATA)) { ++ btrfs_err(fs_info, ++ "mixed chunk type in non-mixed mode: 0x%llx", type); ++ return -EIO; ++ } ++ } ++ + if ((type & BTRFS_BLOCK_GROUP_RAID10 && sub_stripes != 2) || + (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes < 1) || + (type & BTRFS_BLOCK_GROUP_RAID5 && num_stripes < 2) || +-- +2.19.2 \ No newline at end of file -- cgit v1.2.3-54-g00ecf