ext4: add more inode number paranoia checks

If there is a directory entry pointing to a system inode (such as a journal inode), complain and declare the file system to be corrupted. Also, if the superblock's first inode number field is too small, refuse to mount the file system. This addresses CVE-2018-10882. https://bugzilla.kernel.org/show_bug.cgi?id=200069 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org
author: Theodore Ts'o <tytso@mit.edu> 2018-06-17 07:41:14 +0300
committer: Theodore Ts'o <tytso@mit.edu> 2018-06-17 07:41:14 +0300
commit: c37e9e013469521d9adb932d17a1795c139b36db (patch)
tree: a7a39bc1259d9c8398817a5c7c05fcc87e8f6bb6 /fs/ext4/super.c
parent: 8bc1379b82b8e809eef77a9fedbb75c6c297be19 (diff)
download: linux-c37e9e013469521d9adb932d17a1795c139b36db.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 4d34430d75f6..1f955c128e0d 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3858,6 +3858,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
 	} else {
 		sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
 		sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
+		if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
+			ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
+				 sbi->s_first_ino);
+			goto failed_mount;
+		}
 		if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
 		    (!is_power_of_2(sbi->s_inode_size)) ||
 		    (sbi->s_inode_size > blocksize)) {
author	Theodore Ts'o <tytso@mit.edu>	2018-06-17 07:41:14 +0300
committer	Theodore Ts'o <tytso@mit.edu>	2018-06-17 07:41:14 +0300
commit	c37e9e013469521d9adb932d17a1795c139b36db (patch)
tree	a7a39bc1259d9c8398817a5c7c05fcc87e8f6bb6 /fs/ext4/super.c
parent	8bc1379b82b8e809eef77a9fedbb75c6c297be19 (diff)
download	linux-c37e9e013469521d9adb932d17a1795c139b36db.tar.xz