Home Home > GIT Browse > SLE12-SP3
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-05-22 20:07:18 +0200
committerTakashi Iwai <tiwai@suse.de>2019-05-22 20:07:18 +0200
commit5739ee56c9d6e64d011cd24360ae84cc6aadf17d (patch)
treed03432fb6e696f95348b3914025231d340edf5b6
parent56860f5fcdb29142724ae4e3242a2f1d4496012c (diff)
parentd9de56fc1befe8b1670e609b76ef36805af924c0 (diff)
Merge branch 'users/jack/cve/linux-4.4/for-next' into SLE12-SP3SLE12-SP3
Pull ext4 fix from Jan Kara (bsc#1135281 CVE-2019-11833)
-rw-r--r--patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch87
-rw-r--r--series.conf1
2 files changed, 88 insertions, 0 deletions
diff --git a/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch b/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
new file mode 100644
index 0000000000..cfdb379450
--- /dev/null
+++ b/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
@@ -0,0 +1,87 @@
+From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001
+From: Sriram Rajagopalan <sriramr@arista.com>
+Date: Fri, 10 May 2019 19:28:06 -0400
+Subject: [PATCH] ext4: zero out the unused memory region in the extent tree
+ block
+Git-commit: 592acbf16821288ecdc4192c47e3774a4c48bb64
+Patch-mainline: v5.2-rc1
+References: bsc#1135281 CVE-2019-11833
+
+This commit zeroes out the unused memory region in the buffer_head
+corresponding to the extent metablock after writing the extent header
+and the corresponding extent node entries.
+
+This is done to prevent random uninitialized data from getting into
+the filesystem when the extent block is synced.
+
+This fixes CVE-2019-11833.
+
+Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/extents.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 0f89f5190cd7..f2c62e2a0c98 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ __le32 border;
+ ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* make decision: where to split? */
+ /* FIXME: now decision is simplest: at current extent */
+@@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ le16_add_cpu(&neh->eh_entries, m);
+ }
+
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ sizeof(struct ext4_extent_idx) * m);
+ le16_add_cpu(&neh->eh_entries, m);
+ }
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
++ memset(bh->b_data + ext_size, 0,
++ inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
+ ext4_fsblk_t newblock, goal = 0;
+ struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* Try to prepend new index to old one */
+ if (ext_depth(inode))
+@@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
+ goto out;
+ }
+
++ ext_size = sizeof(EXT4_I(inode)->i_data);
+ /* move top-level index/leaf into new block */
+- memmove(bh->b_data, EXT4_I(inode)->i_data,
+- sizeof(EXT4_I(inode)->i_data));
++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
++ /* zero out unused area in the extent block */
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+
+ /* set size of new block */
+ neh = ext_block_hdr(bh);
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 91f6c878bf..3d96dfa655 100644
--- a/series.conf
+++ b/series.conf
@@ -25390,6 +25390,7 @@
patches.fixes/0001-PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.fixes/0001-backlight-lm3630a-Return-0-on-success-in-update_stat.patch
patches.fixes/0003-drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
+ patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
# out-of-tree patches
patches.kabi/0001-move-power_up_on_resume-flag-to-end-of-structure-for.patch