ext4: limit length to bitmap_maxbytes

Bug #1972281 reported by Paolo Pisati
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Incomplete
Undecided
Unassigned
Trusty
In Progress
High
Unassigned
Xenial
In Progress
High
Unassigned
Bionic
Fix Released
High
Luke Nowakowski-Krijger
Focal
Fix Released
High
Stefan Bader
Impish
Fix Released
High
Kleber Sacilotto de Souza
Jammy
Fix Released
High
Stefan Bader

Bug Description

[Impact]
Abusing ext4_fallocate() (as a normal user) triggers a BUG()/kernel panic.

[Fix]
Apply this upstream fix:

commit 2da376228a2427501feb9d15815a45dbdbdd753e
Author: Tadeusz Struk <email address hidden>
Date: Thu Mar 31 13:05:15 2022 -0700

ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

[Test]
The reporter has provided a working reproducer.

[Where problems could occur]
Upstream fix already slated for @stable inclusion.

CVE References

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1972281

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Impish):
status: New → Incomplete
Changed in linux (Ubuntu Jammy):
status: New → Incomplete
Stefan Bader (smb)
Changed in linux (Ubuntu Jammy):
importance: Undecided → High
status: Incomplete → In Progress
Changed in linux (Ubuntu Impish):
importance: Undecided → High
status: Incomplete → In Progress
Changed in linux (Ubuntu Focal):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Bionic):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Xenial):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
status: New → In Progress
Stefan Bader (smb)
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
assignee: nobody → Stefan Bader (smb)
Changed in linux (Ubuntu Jammy):
assignee: nobody → Stefan Bader (smb)
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
assignee: nobody → Luke Nowakowski-Krijger (lukenow)
Changed in linux (Ubuntu Impish):
status: In Progress → Fix Committed
assignee: nobody → Kleber Sacilotto de Souza (kleber-souza)
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-112.126 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/4.15.0-179.188 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-32.33 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.13.0-44.49 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-impish' to 'verification-done-impish'. If the problem still exists, change the tag 'verification-needed-impish' to 'verification-failed-impish'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-impish
tags: added: verification-done-jammy
removed: verification-needed-jammy
tags: added: verification-done-focal
removed: verification-needed-focal
tags: added: verification-done-impish
removed: verification-needed-impish
tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-180.189

---------------
linux (4.15.0-180.189) bionic; urgency=medium

  * bionic/linux: 4.15.0-180.189 -proposed tracker (LP: #1974013)

  * CVE-2022-29581
    - net/sched: cls_u32: fix netns refcount changes in u32_change()

  * Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP
    option (LP: #1972740)
    - ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

  * ext4: limit length to bitmap_maxbytes (LP: #1972281)
    - ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

 -- Kleber Sacilotto de Souza <email address hidden> Wed, 18 May 2022 15:56:44 +0200

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-113.127

---------------
linux (5.4.0-113.127) focal; urgency=medium

  * focal/linux: 5.4.0-113.127 -proposed tracker (LP: #1973980)

  * CVE-2022-29581
    - net/sched: cls_u32: fix netns refcount changes in u32_change()

  * CVE-2022-1116
    - io_uring: fix fs->users overflow

  * ext4: limit length to bitmap_maxbytes (LP: #1972281)
    - ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

  * Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP
    option (LP: #1972740)
    - ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

 -- Stefan Bader <email address hidden> Wed, 18 May 2022 16:07:54 +0200

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.13.0-44.49

---------------
linux (5.13.0-44.49) impish; urgency=medium

  * impish/linux: 5.13.0-44.49 -proposed tracker (LP: #1973941)

  * CVE-2022-29581
    - net/sched: cls_u32: fix netns refcount changes in u32_change()

  * Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP
    option (LP: #1972740)
    - ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

  * ext4: limit length to bitmap_maxbytes (LP: #1972281)
    - ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

 -- Kleber Sacilotto de Souza <email address hidden> Wed, 18 May 2022 14:56:02 +0200

Changed in linux (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.15.0-33.34

---------------
linux (5.15.0-33.34) jammy; urgency=medium

  * jammy/linux: 5.15.0-33.34 -proposed tracker (LP: #1973924)

  * CVE-2022-29581
    - net/sched: cls_u32: fix netns refcount changes in u32_change()

  * ext4: limit length to bitmap_maxbytes (LP: #1972281)
    - ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

  * Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP
    option (LP: #1972740)
    - ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

 -- Stefan Bader <email address hidden> Wed, 18 May 2022 15:11:00 +0200

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.