From eaa916ca30b60810ec16514c7290b35b687ed21d Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: May 17 2023 19:16:10 +0000 Subject: ext4: remove a BUG_ON in ext4_mb_release_group_pa() (bsc#1012628). --- diff --git a/patches.kernel.org/6.3.3-237-ext4-remove-a-BUG_ON-in-ext4_mb_release_group_p.patch b/patches.kernel.org/6.3.3-237-ext4-remove-a-BUG_ON-in-ext4_mb_release_group_p.patch new file mode 100644 index 0000000..a9cc277 --- /dev/null +++ b/patches.kernel.org/6.3.3-237-ext4-remove-a-BUG_ON-in-ext4_mb_release_group_p.patch @@ -0,0 +1,46 @@ +From: Theodore Ts'o +Date: Sat, 29 Apr 2023 16:14:46 -0400 +Subject: [PATCH] ext4: remove a BUG_ON in ext4_mb_release_group_pa() +References: bsc#1012628 +Patch-mainline: 6.3.3 +Git-commit: 463808f237cf73e98a1a45ff7460c2406a150a0b + +commit 463808f237cf73e98a1a45ff7460c2406a150a0b upstream. + +If a malicious fuzzer overwrites the ext4 superblock while it is +mounted such that the s_first_data_block is set to a very large +number, the calculation of the block group can underflow, and trigger +a BUG_ON check. Change this to be an ext4_warning so that we don't +crash the kernel. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430154311.579720-3-tytso@mit.edu +Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/ext4/mballoc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 5b2ae37a..5639a4cf 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4820,7 +4820,11 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b, + trace_ext4_mb_release_group_pa(sb, pa); + BUG_ON(pa->pa_deleted == 0); + ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit); +- BUG_ON(group != e4b->bd_group && pa->pa_len != 0); ++ if (unlikely(group != e4b->bd_group && pa->pa_len != 0)) { ++ ext4_warning(sb, "bad group: expected %u, group %u, pa_start %llu", ++ e4b->bd_group, group, pa->pa_pstart); ++ return 0; ++ } + mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len); + atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded); + trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); +-- +2.35.3 + diff --git a/series.conf b/series.conf index 1b84cd3..afe965c 100644 --- a/series.conf +++ b/series.conf @@ -970,6 +970,7 @@ patches.kernel.org/6.3.3-234-ext4-add-bounds-checking-in-get_max_inline_xatt.patch patches.kernel.org/6.3.3-235-ext4-bail-out-of-ext4_xattr_ibody_get-fails-for.patch patches.kernel.org/6.3.3-236-ext4-fix-lockdep-warning-when-enabling-MMP.patch + patches.kernel.org/6.3.3-237-ext4-remove-a-BUG_ON-in-ext4_mb_release_group_p.patch ######################################################## # Build fixes that apply to the vanilla kernel too.