ext4: add more inode number paranoia checks

commit c37e9e013469521d9adb932d17a1795c139b36db upstream. If there is a directory entry pointing to a system inode (such as a journal inode), complain and declare the file system to be corrupted. Also, if the superblock's first inode number field is too small, refuse to mount the file system. This addresses CVE-2018-10882. https://bugzilla.kernel.org/show_bug.cgi?id=200069 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Theodore Ts'o <tytso@mit.edu> 2018-06-17 00:41:14 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-11 16:03:49 +0200
commit: ff6c96461be35381399466ad58f02b8d78ab480a (patch)
tree: 8f59e7eee7b4a1eb7b27d5c288adc755fcd2bb15 /fs/ext4/inode.c
parent: b88fc699a023e0ef86f647c3d48a17d7cfff1f2a (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index b8f4394971c8..b507de0e4bbf 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3991,7 +3991,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
 	int			inodes_per_block, inode_offset;
 
 	iloc->bh = NULL;
-	if (!ext4_valid_inum(sb, inode->i_ino))
+	if (inode->i_ino < EXT4_ROOT_INO ||
+	    inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
 		return -EFSCORRUPTED;
 
 	iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
author	Theodore Ts'o <tytso@mit.edu>	2018-06-17 00:41:14 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-07-11 16:03:49 +0200
commit	ff6c96461be35381399466ad58f02b8d78ab480a (patch)
tree	8f59e7eee7b4a1eb7b27d5c288adc755fcd2bb15 /fs/ext4/inode.c
parent	b88fc699a023e0ef86f647c3d48a17d7cfff1f2a (diff)