diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 12:27:58 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-09-29 13:08:46 +0200 |
commit | 163efd512fede2d1a535256040895702b7b90012 (patch) | |
tree | fd322a0a9e3585cec0dca1ef7df709d77d2b547e | |
parent | 9898ed1ef252beccf252d05154be55d20cb0dd8c (diff) | |
download | meta-enea-bsp-arm-163efd512fede2d1a535256040895702b7b90012.tar.gz |
linux-cavium: CVE-2016-10208
EXT4 memory corruption / SLAB out-of-bounds read
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-10208
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch | 74 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 75 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch new file mode 100644 index 0000000..c3ab284 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From 13e6ef99d23b05807e7f8a72f45e3d8260b61570 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eryu Guan <guaneryu@gmail.com> | ||
3 | Date: Thu, 1 Dec 2016 15:08:37 -0500 | ||
4 | Subject: [PATCH] ext4: validate s_first_meta_bg at mount time | ||
5 | |||
6 | commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream. | ||
7 | |||
8 | Ralf Spenneberg reported that he hit a kernel crash when mounting a | ||
9 | modified ext4 image. And it turns out that kernel crashed when | ||
10 | calculating fs overhead (ext4_calculate_overhead()), this is because | ||
11 | the image has very large s_first_meta_bg (debug code shows it's | ||
12 | 842150400), and ext4 overruns the memory in count_overhead() when | ||
13 | setting bitmap buffer, which is PAGE_SIZE. | ||
14 | |||
15 | ext4_calculate_overhead(): | ||
16 | buf = get_zeroed_page(GFP_NOFS); <=== PAGE_SIZE buffer | ||
17 | blks = count_overhead(sb, i, buf); | ||
18 | |||
19 | count_overhead(): | ||
20 | for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400 | ||
21 | ext4_set_bit(EXT4_B2C(sbi, s++), buf); <=== buffer overrun | ||
22 | count++; | ||
23 | } | ||
24 | |||
25 | This can be reproduced easily for me by this script: | ||
26 | |||
27 | #!/bin/bash | ||
28 | rm -f fs.img | ||
29 | mkdir -p /mnt/ext4 | ||
30 | fallocate -l 16M fs.img | ||
31 | mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img | ||
32 | debugfs -w -R "ssv first_meta_bg 842150400" fs.img | ||
33 | mount -o loop fs.img /mnt/ext4 | ||
34 | |||
35 | Fix it by validating s_first_meta_bg first at mount time, and | ||
36 | refusing to mount if its value exceeds the largest possible meta_bg | ||
37 | number. | ||
38 | |||
39 | CVE: CVE-2016-10208 | ||
40 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
41 | |||
42 | Reported-by: Ralf Spenneberg <ralf@os-t.de> | ||
43 | Signed-off-by: Eryu Guan <guaneryu@gmail.com> | ||
44 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
45 | Reviewed-by: Andreas Dilger <adilger@dilger.ca> | ||
46 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
47 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
48 | --- | ||
49 | fs/ext4/super.c | 9 +++++++++ | ||
50 | 1 file changed, 9 insertions(+) | ||
51 | |||
52 | diff --git a/fs/ext4/super.c b/fs/ext4/super.c | ||
53 | index 478630a..bbc316d 100644 | ||
54 | --- a/fs/ext4/super.c | ||
55 | +++ b/fs/ext4/super.c | ||
56 | @@ -3827,6 +3827,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) | ||
57 | (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb))); | ||
58 | db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) / | ||
59 | EXT4_DESC_PER_BLOCK(sb); | ||
60 | + if (ext4_has_feature_meta_bg(sb)) { | ||
61 | + if (le32_to_cpu(es->s_first_meta_bg) >= db_count) { | ||
62 | + ext4_msg(sb, KERN_WARNING, | ||
63 | + "first meta block group too large: %u " | ||
64 | + "(group descriptor block count %u)", | ||
65 | + le32_to_cpu(es->s_first_meta_bg), db_count); | ||
66 | + goto failed_mount; | ||
67 | + } | ||
68 | + } | ||
69 | sbi->s_group_desc = ext4_kvmalloc(db_count * | ||
70 | sizeof(struct buffer_head *), | ||
71 | GFP_KERNEL); | ||
72 | -- | ||
73 | 1.9.1 | ||
74 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index da39406..c3e0f33 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -16,6 +16,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
16 | git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \ | 16 | git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \ |
17 | file://dts \ | 17 | file://dts \ |
18 | file://CVE-2016-10154.patch \ | 18 | file://CVE-2016-10154.patch \ |
19 | file://CVE-2016-10208.patch \ | ||
19 | file://CVE-2017-7487.patch \ | 20 | file://CVE-2017-7487.patch \ |
20 | file://CVE-2017-7618.patch \ | 21 | file://CVE-2017-7618.patch \ |
21 | file://CVE-2017-7645.patch \ | 22 | file://CVE-2017-7645.patch \ |