oss-sec mailing list archives
Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent
From: Brad Spengler <spender () grsecurity net>
Date: Wed, 17 Mar 2021 09:05:14 -0400
Hi Greg,
Please include what kernel version things like this were "found in" and when it was fixed, otherwise you force everyone to go scramble just to find that this was reported in July of 2020 and fixed then in the 5.9 kernel release and has already been backported to all relevant stable kernel releases in August of last year.
Those are a lot of assumptions there. I do wonder how you feel you can ignore the CVE process the rest of the world is engaged in, while at the same time boss around those engaged in it. But setting aside the irony of someone telling the world "if you want to know what was fixed or not, we publish the source, figure it out for yourself" being irate at being handed the same terms, I went ahead and did the investigation for you. The fix (part of the patch series https://www.spinics.net/lists/linux-ext4/msg73471.html): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce9f24cccdc019229b70a5c15e2b09ad9c0ab5d1 was included in 5.9, and was backported through to 5.7. However, you'll note the fixes tag points to a commit first appearing in 5.2. That commit commit itself was backported to some earlier stable kernels, like 4.14. Why wasn't the fix for this CVE backported to kernels older than 5.7? For the same reason many other bugs/vulnerabilities don't get backported: small, often trivial conflicts. In this instance, it becomes clear the reason why it wasn't backported any further than 5.7 is because 5.7 contained the following commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54d3adbc29f0c7c53890da1683e629cd220d7201 without which there is a small conflict in fs/ext4/block_validity.c: <<<<<<< HEAD else { sbi->s_es->s_last_error_block = cpu_to_le64(start_blk); return 0; } ======= else return entry->ino == ino;
ce9f24cccdc0... ext4: check journal inode extents more carefully
Thanks, -Brad
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Rohit Keshri (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Greg KH (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Salvatore Bonaccorso (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Greg Kroah-Hartman (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Jan Kara (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Salvatore Bonaccorso (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Wolfgang Frisch (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Brad Spengler (Mar 17)
- Re: CVE-2021-3428 Linux kernel: integer overflow in ext4_es_cache_extent Greg KH (Mar 17)