This is a note to let you know that I've just added the patch titled
ext4: fix check for block being out of directory size
to the 5.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ext4-fix-check-for-block-being-out-of-directory-size.patch
and it can be found in the queue-5.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 61a1d87a324ad5e3ed27c6699dfc93218fcf3201 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@xxxxxxx>
Date: Mon, 22 Aug 2022 13:48:32 +0200
Subject: ext4: fix check for block being out of directory size
From: Jan Kara <jack@xxxxxxx>
commit 61a1d87a324ad5e3ed27c6699dfc93218fcf3201 upstream.
The check in __ext4_read_dirblock() for block being outside of directory
size was wrong because it compared block number against directory size
in bytes. Fix it.
Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size")
CVE: CVE-2022-1184
CC: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jan Kara <jack@xxxxxxx>
Reviewed-by: Lukas Czerner <lczerner@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20220822114832.1482-1-jack@xxxxxxx
Signed-off-by: Theodore Ts'o <tytso@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_d
struct ext4_dir_entry *dirent;
int is_dx_block = 0;
- if (block >= inode->i_size) {
+ if (block >= inode->i_size >> inode->i_blkbits) {
ext4_error_inode(inode, func, line, block,
"Attempting to read directory block (%u) that is past i_size (%llu)",
block, inode->i_size);
Patches currently in stable-queue which might be from jack@xxxxxxx are
queue-5.19/ext4-update-state-fc_regions_size-after-successful-memory-allocation.patch
queue-5.19/ext4-fix-null-ptr-deref-in-ext4_write_info.patch
queue-5.19/jbd2-fix-potential-buffer-head-reference-count-leak.patch
queue-5.19/ext4-fix-miss-release-buffer-head-in-ext4_fc_write_inode.patch
queue-5.19/ext4-ext4_read_bh_lock-should-submit-io-if-the-buffer-isn-t-uptodate.patch
queue-5.19/jbd2-fix-potential-use-after-free-in-jbd2_fc_wait_bufs.patch
queue-5.19/ext4-fix-dir-corruption-when-ext4_dx_add_entry-fails.patch
queue-5.19/ext2-add-sanity-checks-for-group-and-filesystem-size.patch
queue-5.19/ext4-fix-potential-memory-leak-in-ext4_fc_record_modified_inode.patch
queue-5.19/ext4-unconditionally-enable-the-i_version-counter.patch
queue-5.19/ext4-fix-potential-memory-leak-in-ext4_fc_record_regions.patch
queue-5.19/ext4-fix-i_version-handling-in-ext4.patch
queue-5.19/jbd2-add-miss-release-buffer-head-in-fc_do_one_pass.patch
queue-5.19/fs-record-i_dirty_time-even-if-inode-already-has-i_dirty_inode.patch
queue-5.19/quota-check-next-prev-free-block-number-after-reading-from-quota-file.patch
queue-5.19/ext4-don-t-increase-iversion-counter-for-ea_inodes.patch
queue-5.19/ext4-avoid-crash-when-inline-data-creation-follows-dio-write.patch
queue-5.19/ext4-fix-check-for-block-being-out-of-directory-size.patch
