Hi,
On Tue, Aug 23, 2022 at 12:00:19PM +0200, Lukas Czerner wrote:
> On Mon, Aug 22, 2022 at 01:48:32PM +0200, Jan Kara wrote:
> > The check in __ext4_read_dirblock() for block being outside of directory
> > size was wrong because it compared block number against directory size
> > in bytes. Fix it.
>
> Good catch, thanks!
>
> Reviewed-by: Lukas Czerner <lczerner@xxxxxxxxxx>
>
> >
> > Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size")
> > CVE: CVE-2022-1184
> > CC: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Jan Kara <jack@xxxxxxx>
> > ---
> > fs/ext4/namei.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> > index 3a31b662f661..bc2e0612ec32 100644
> > --- a/fs/ext4/namei.c
> > +++ b/fs/ext4/namei.c
> > @@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode,
> > struct ext4_dir_entry *dirent;
> > int is_dx_block = 0;
> >
> > - if (block >= inode->i_size) {
> > + if (block >= inode->i_size >> inode->i_blkbits) {
> > ext4_error_inode(inode, func, line, block,
> > "Attempting to read directory block (%u) that is past i_size (%llu)",
> > block, inode->i_size);
Ted, is this on your radar to get applied for mainline and to the
stable trees?
Regards,
Salvatore
