linux-cavium: CVE-2016-10208

EXT4 memory corruption / SLAB out-of-bounds read Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-10208 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 12:27:58 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-29 13:08:46 +0200
commit: 163efd512fede2d1a535256040895702b7b90012 (patch)
tree: fd322a0a9e3585cec0dca1ef7df709d77d2b547e
parent: 9898ed1ef252beccf252d05154be55d20cb0dd8c (diff)
download: meta-enea-bsp-arm-163efd512fede2d1a535256040895702b7b90012.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch
new file mode 100644
index 0000000..c3ab284
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch
@@ -0,0 +1,74 @@
+From 13e6ef99d23b05807e7f8a72f45e3d8260b61570 Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Thu, 1 Dec 2016 15:08:37 -0500
+Subject: [PATCH] ext4: validate s_first_meta_bg at mount time
+commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream.
+Ralf Spenneberg reported that he hit a kernel crash when mounting a
+modified ext4 image. And it turns out that kernel crashed when
+calculating fs overhead (ext4_calculate_overhead()), this is because
+the image has very large s_first_meta_bg (debug code shows it's
+842150400), and ext4 overruns the memory in count_overhead() when
+setting bitmap buffer, which is PAGE_SIZE.
+ext4_calculate_overhead():
+  buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
+  blks = count_overhead(sb, i, buf);
+count_overhead():
+  for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
+          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
+          count++;
+  }
+This can be reproduced easily for me by this script:
+  #!/bin/bash
+  rm -f fs.img
+  mkdir -p /mnt/ext4
+  fallocate -l 16M fs.img
+  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
+  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
+  mount -o loop fs.img /mnt/ext4
+Fix it by validating s_first_meta_bg first at mount time, and
+refusing to mount if its value exceeds the largest possible meta_bg
+number.
+CVE: CVE-2016-10208
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Reported-by: Ralf Spenneberg <ralf@os-t.de>
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/ext4/super.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 478630a..bbc316d 100644
+--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
+@@ -3827,6 +3827,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+                        (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
+        db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
+                   EXT4_DESC_PER_BLOCK(sb);
+       if (ext4_has_feature_meta_bg(sb)) {
+               if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
+                       ext4_msg(sb, KERN_WARNING,
+                                "first meta block group too large: %u "
+                                "(group descriptor block count %u)",
+                                le32_to_cpu(es->s_first_meta_bg), db_count);
+                       goto failed_mount;
+               }
+       }
+        sbi->s_group_desc = ext4_kvmalloc(db_count *
+                                          sizeof(struct buffer_head *),
+                                          GFP_KERNEL);
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index da39406..c3e0f33 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -16,6 +16,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \
           file://dts \
           file://CVE-2016-10154.patch \
+           file://CVE-2016-10208.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 12:27:58 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-29 13:08:46 +0200
commit	163efd512fede2d1a535256040895702b7b90012 (patch)
tree	fd322a0a9e3585cec0dca1ef7df709d77d2b547e
parent	9898ed1ef252beccf252d05154be55d20cb0dd8c (diff)
download	meta-enea-bsp-arm-163efd512fede2d1a535256040895702b7b90012.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch new file mode 100644 index 0000000..c3ab284 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch
@@ -0,0 +1,74 @@
		1	From 13e6ef99d23b05807e7f8a72f45e3d8260b61570 Mon Sep 17 00:00:00 2001
		2	From: Eryu Guan <guaneryu@gmail.com>
		3	Date: Thu, 1 Dec 2016 15:08:37 -0500
		4	Subject: [PATCH] ext4: validate s_first_meta_bg at mount time
		5
		6	commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream.
		7
		8	Ralf Spenneberg reported that he hit a kernel crash when mounting a
		9	modified ext4 image. And it turns out that kernel crashed when
		10	calculating fs overhead (ext4_calculate_overhead()), this is because
		11	the image has very large s_first_meta_bg (debug code shows it's
		12	842150400), and ext4 overruns the memory in count_overhead() when
		13	setting bitmap buffer, which is PAGE_SIZE.
		14
		15	ext4_calculate_overhead():
		16	buf = get_zeroed_page(GFP_NOFS); <=== PAGE_SIZE buffer
		17	blks = count_overhead(sb, i, buf);
		18
		19	count_overhead():
		20	for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
		21	ext4_set_bit(EXT4_B2C(sbi, s++), buf); <=== buffer overrun
		22	count++;
		23	}
		24
		25	This can be reproduced easily for me by this script:
		26
		27	#!/bin/bash
		28	rm -f fs.img
		29	mkdir -p /mnt/ext4
		30	fallocate -l 16M fs.img
		31	mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
		32	debugfs -w -R "ssv first_meta_bg 842150400" fs.img
		33	mount -o loop fs.img /mnt/ext4
		34
		35	Fix it by validating s_first_meta_bg first at mount time, and
		36	refusing to mount if its value exceeds the largest possible meta_bg
		37	number.
		38
		39	CVE: CVE-2016-10208
		40	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		41
		42	Reported-by: Ralf Spenneberg <ralf@os-t.de>
		43	Signed-off-by: Eryu Guan <guaneryu@gmail.com>
		44	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
		45	Reviewed-by: Andreas Dilger <adilger@dilger.ca>
		46	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		47	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		48	---
		49	fs/ext4/super.c \| 9 +++++++++
		50	1 file changed, 9 insertions(+)
		51
		52	diff --git a/fs/ext4/super.c b/fs/ext4/super.c
		53	index 478630a..bbc316d 100644
		54	--- a/fs/ext4/super.c
		55	+++ b/fs/ext4/super.c
		56	@@ -3827,6 +3827,15 @@ static int ext4_fill_super(struct super_block sb, void data, int silent)
		57	(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
		58	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
		59	EXT4_DESC_PER_BLOCK(sb);
		60	+ if (ext4_has_feature_meta_bg(sb)) {
		61	+ if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
		62	+ ext4_msg(sb, KERN_WARNING,
		63	+ "first meta block group too large: %u "
		64	+ "(group descriptor block count %u)",
		65	+ le32_to_cpu(es->s_first_meta_bg), db_count);
		66	+ goto failed_mount;
		67	+ }
		68	+ }
		69	sbi->s_group_desc = ext4_kvmalloc(db_count *
		70	sizeof(struct buffer_head *),
		71	GFP_KERNEL);
		72	--
		73	1.9.1
		74


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index da39406..c3e0f33 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -16,6 +16,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
16	git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \	16	git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \
17	file://dts \	17	file://dts \
18	file://CVE-2016-10154.patch \	18	file://CVE-2016-10154.patch \
		19	file://CVE-2016-10208.patch \
19	file://CVE-2017-7487.patch \	20	file://CVE-2017-7487.patch \
20	file://CVE-2017-7618.patch \	21	file://CVE-2017-7618.patch \
21	file://CVE-2017-7645.patch \	22	file://CVE-2017-7645.patch \