Commit 349050b9 authored Aug 20, 2024 by Baokun Li Committed by Yifan Qiao Aug 20, 2024

ext4: make sure the first directory block is not a hole

stable inclusion
from stable-v5.10.224
commit de2a011a13a46468a6e8259db58b1b62071fe136
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQB7
CVE: CVE-2024-42304

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=de2a011a13a46468a6e8259db58b1b62071fe136



--------------------------------

commit f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6 upstream.

The syzbot constructs a directory that has no dirblock but is non-inline,
i.e. the first directory block is a hole. And no errors are reported when
creating files in this directory in the following flow.

    ext4_mknod
     ...
      ext4_add_entry
        // Read block 0
        ext4_read_dirblock(dir, block, DIRENT)
          bh = ext4_bread(NULL, inode, block, 0)
          if (!bh && (type == INDEX || type == DIRENT_HTREE))
          // The first directory block is a hole
          // But type == DIRENT, so no error is reported.

After that, we get a directory block without '.' and '..' but with a valid
dentry. This may cause some code that relies on dot or dotdot (such as
make_indexed_dir()) to crash.

Therefore when ext4_read_dirblock() finds that the first directory block
is a hole report that the filesystem is corrupted and return an error to
avoid loading corrupted data from disk causing something bad.

Reported-by:  <syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0


Fixes: 4e19d6b6 ("ext4: allow directory holes")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240702132349.2600605-3-libaokun@huaweicloud.com


Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com>

parent 891ee9c3

fs/ext4/namei.c

+6 −11

Original line number	Diff line number	Diff line
		@@ -150,10 +150,11 @@ static struct buffer_head __ext4_read_dirblock(struct inode inode,

		return bh;
		}
		if (!bh && (type == INDEX \|\| type == DIRENT_HTREE)) {
		/* The first directory block must not be a hole. */
		if (!bh && (type == INDEX \|\| type == DIRENT_HTREE \|\| block == 0)) {
		ext4_error_inode(inode, func, line, block,
		"Directory hole found for htree %s block",
		(type == INDEX) ? "index" : "leaf");
		"Directory hole found for htree %s block %u",
		(type == INDEX) ? "index" : "leaf", block);
		return ERR_PTR(-EFSCORRUPTED);
		}
		if (!bh)
		@@ -3024,10 +3025,7 @@ bool ext4_empty_dir(struct inode *inode)
		EXT4_ERROR_INODE(inode, "invalid size");
		return false;
		}
		/* The first directory block must not be a hole,
		* so treat it as DIRENT_HTREE
		*/
		bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
		bh = ext4_read_dirblock(inode, 0, EITHER);
		if (IS_ERR(bh))
		return false;

		@@ -3664,10 +3662,7 @@ static struct buffer_head ext4_get_first_dir_block(handle_t handle,
		struct ext4_dir_entry_2 *de;
		unsigned int offset;

		/* The first directory block must not be a hole, so
		* treat it as DIRENT_HTREE
		*/
		bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
		bh = ext4_read_dirblock(inode, 0, EITHER);
		if (IS_ERR(bh)) {
		*retval = PTR_ERR(bh);
		return NULL;