diff options
| author | Theodore Ts'o <tytso@mit.edu> | 2018-06-17 07:41:14 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-10-13 10:09:32 +0300 |
| commit | 292dc9673821842c0762b5d095a05e354e795392 (patch) | |
| tree | 3813a42cc843ef6cbdb2dad9dd27b0da1b4dde88 /fs/ext4/super.c | |
| parent | fd2634366fca1f93e7d4cf36c8a919dfe11cd0ec (diff) | |
| download | linux-292dc9673821842c0762b5d095a05e354e795392.tar.xz | |
ext4: add more inode number paranoia checks
commit c37e9e013469521d9adb932d17a1795c139b36db upstream.
If there is a directory entry pointing to a system inode (such as a
journal inode), complain and declare the file system to be corrupted.
Also, if the superblock's first inode number field is too small,
refuse to mount the file system.
This addresses CVE-2018-10882.
https://bugzilla.kernel.org/show_bug.cgi?id=200069
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/ext4/super.c')
| -rw-r--r-- | fs/ext4/super.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/ext4/super.c b/fs/ext4/super.c index ad620f43a304..e55d36b04b50 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3794,6 +3794,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) } else { sbi->s_inode_size = le16_to_cpu(es->s_inode_size); sbi->s_first_ino = le32_to_cpu(es->s_first_ino); + if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { + ext4_msg(sb, KERN_ERR, "invalid first ino: %u", + sbi->s_first_ino); + goto failed_mount; + } if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || (!is_power_of_2(sbi->s_inode_size)) || (sbi->s_inode_size > blocksize)) { |