Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bc890a60 authored by Theodore Ts'o's avatar Theodore Ts'o
Browse files

ext4: verify the depth of extent tree in ext4_find_extent() 

If there is a corupted file system where the claimed depth of the
extent tree is -1, this can cause a massive buffer overrun leading to
sadness.

This addresses CVE-2018-10877.

https://bugzilla.kernel.org/show_bug.cgi?id=199417



Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
parent 8844618d

fs/ext4/ext4_extents.h

+1 −0
Original line number Diff line number Diff line
@@ -91,6 +91,7 @@ struct ext4_extent_header { 
};



#define EXT4_EXT_MAGIC		cpu_to_le16(0xf30a)

#define EXT4_MAX_EXTENT_DEPTH 5



#define EXT4_EXTENT_TAIL_OFFSET(hdr) \

	(sizeof(struct ext4_extent_header) + \

fs/ext4/extents.c

+6 −0
Original line number Diff line number Diff line
@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, 


	eh = ext_inode_hdr(inode);

	depth = ext_depth(inode);

	if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {

		EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",

				 depth);

		ret = -EFSCORRUPTED;

		goto err;

	}



	if (path) {

		ext4_ext_drop_refs(path);