ext4: add more inode number paranoia checks

commit c37e9e013469521d9adb932d17a1795c139b36db upstream. If there is a directory entry pointing to a system inode (such as a journal inode), complain and declare the file system to be corrupted. Also, if the superblock's first inode number field is too small, refuse to mount the file system. This addresses CVE-2018-10882. https://bugzilla.kernel.org/show_bug.cgi?id=200069 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Theodore Ts'o <tytso@mit.edu> 2018-06-17 00:41:14 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-11 16:29:18 +0200
commit: c24aab6d86640ccf321b87be6096319f55b16274 (patch)
tree: 3f045fd52fe057fd353de683064d925edb0fb27e /fs/ext4/inode.c
parent: 02945e49dc2026459e069467ec64e3fbecda844f (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b28153eb0fd..c2efe4d2ad87 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4455,7 +4455,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
 	int			inodes_per_block, inode_offset;
 
 	iloc->bh = NULL;
-	if (!ext4_valid_inum(sb, inode->i_ino))
+	if (inode->i_ino < EXT4_ROOT_INO ||
+	    inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
 		return -EFSCORRUPTED;
 
 	iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
author	Theodore Ts'o <tytso@mit.edu>	2018-06-17 00:41:14 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-07-11 16:29:18 +0200
commit	c24aab6d86640ccf321b87be6096319f55b16274 (patch)
tree	3f045fd52fe057fd353de683064d925edb0fb27e /fs/ext4/inode.c
parent	02945e49dc2026459e069467ec64e3fbecda844f (diff)