From 163efd512fede2d1a535256040895702b7b90012 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 29 Sep 2017 12:27:58 +0200 Subject: linux-cavium: CVE-2016-10208 EXT4 memory corruption / SLAB out-of-bounds read Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-10208 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../linux/linux-cavium/CVE-2016-10208.patch | 74 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 75 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch new file mode 100644 index 0000000..c3ab284 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2016-10208.patch @@ -0,0 +1,74 @@ +From 13e6ef99d23b05807e7f8a72f45e3d8260b61570 Mon Sep 17 00:00:00 2001 +From: Eryu Guan +Date: Thu, 1 Dec 2016 15:08:37 -0500 +Subject: [PATCH] ext4: validate s_first_meta_bg at mount time + +commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream. + +Ralf Spenneberg reported that he hit a kernel crash when mounting a +modified ext4 image. And it turns out that kernel crashed when +calculating fs overhead (ext4_calculate_overhead()), this is because +the image has very large s_first_meta_bg (debug code shows it's +842150400), and ext4 overruns the memory in count_overhead() when +setting bitmap buffer, which is PAGE_SIZE. + +ext4_calculate_overhead(): + buf = get_zeroed_page(GFP_NOFS); <=== PAGE_SIZE buffer + blks = count_overhead(sb, i, buf); + +count_overhead(): + for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400 + ext4_set_bit(EXT4_B2C(sbi, s++), buf); <=== buffer overrun + count++; + } + +This can be reproduced easily for me by this script: + + #!/bin/bash + rm -f fs.img + mkdir -p /mnt/ext4 + fallocate -l 16M fs.img + mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img + debugfs -w -R "ssv first_meta_bg 842150400" fs.img + mount -o loop fs.img /mnt/ext4 + +Fix it by validating s_first_meta_bg first at mount time, and +refusing to mount if its value exceeds the largest possible meta_bg +number. + +CVE: CVE-2016-10208 +Upstream-Status: Backport [from kernel.org longterm 4.9.52] + +Reported-by: Ralf Spenneberg +Signed-off-by: Eryu Guan +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + fs/ext4/super.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 478630a..bbc316d 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3827,6 +3827,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb))); + db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) / + EXT4_DESC_PER_BLOCK(sb); ++ if (ext4_has_feature_meta_bg(sb)) { ++ if (le32_to_cpu(es->s_first_meta_bg) >= db_count) { ++ ext4_msg(sb, KERN_WARNING, ++ "first meta block group too large: %u " ++ "(group descriptor block count %u)", ++ le32_to_cpu(es->s_first_meta_bg), db_count); ++ goto failed_mount; ++ } ++ } + sbi->s_group_desc = ext4_kvmalloc(db_count * + sizeof(struct buffer_head *), + GFP_KERNEL); +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index da39406..c3e0f33 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -16,6 +16,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \ file://dts \ file://CVE-2016-10154.patch \ + file://CVE-2016-10208.patch \ file://CVE-2017-7487.patch \ file://CVE-2017-7618.patch \ file://CVE-2017-7645.patch \ -- cgit v1.2.3-54-g00ecf