Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2018-08-13 16:46:54 +0200
committerJan Kara <jack@suse.cz>2018-08-13 17:07:57 +0200
commit139cf26a9d5486496b75c9361283a8328ee37e75 (patch)
tree610e1d5aac56aa05d5b1b45cbee5a5f29ec80c5e
parentd4c749706a5b4e7f56db7c2c5d82d4e63adde999 (diff)
ext4: always verify the magic number in xattr blocks
(bsc#1099844 cve-2018-10879).
-rw-r--r--patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch48
-rw-r--r--series.conf1
2 files changed, 49 insertions, 0 deletions
diff --git a/patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch b/patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
new file mode 100644
index 0000000000..299a6dc3ca
--- /dev/null
+++ b/patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
@@ -0,0 +1,48 @@
+From 513f86d73855ce556ea9522b6bfd79f87356dc3a Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 00:51:28 -0400
+Subject: [PATCH] ext4: always verify the magic number in xattr blocks
+Git-commit: 513f86d73855ce556ea9522b6bfd79f87356dc3a
+Patch-mainline: v4.18-rc4
+References: bsc#1099844 cve-2018-10879
+
+If there an inode points to a block which is also some other type of
+metadata block (such as a block allocation bitmap), the
+buffer_verified flag can be set when it was validated as that other
+metadata block type; however, it would make a really terrible external
+attribute block. The reason why we use the verified flag is to avoid
+constantly reverifying the block. However, it doesn't take much
+overhead to make sure the magic number of the xattr block is correct,
+and this will avoid potential crashes.
+
+This addresses CVE-2018-10879.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200001
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/xattr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -218,12 +218,12 @@ ext4_xattr_check_block(struct inode *ino
+ {
+ int error;
+
+- if (buffer_verified(bh))
+- return 0;
+-
+ if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
+ BHDR(bh)->h_blocks != cpu_to_le32(1))
+ return -EFSCORRUPTED;
++ if (buffer_verified(bh))
++ return 0;
++
+ if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh)))
+ return -EFSBADCRC;
+ error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,
diff --git a/series.conf b/series.conf
index 9933a6f4c3..9ff099dfe9 100644
--- a/series.conf
+++ b/series.conf
@@ -7595,6 +7595,7 @@
patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch
patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch
patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch
+ patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
patches.fixes/vfs-add-the-sb_start_intwrite_trylock-helper.patch