Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2018-08-13 16:47:17 +0200
committerJan Kara <jack@suse.cz>2018-08-13 17:07:57 +0200
commitb2defded12c06f4d109c50bf9a9a24a7711c0d89 (patch)
tree4f8ea51e811f6d55dc284f1e95c600d31cac2906
parent139cf26a9d5486496b75c9361283a8328ee37e75 (diff)
ext4: add corruption check in ext4_xattr_set_entry()
(bsc#1099844 cve-2018-10879).
-rw-r--r--patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch45
-rw-r--r--series.conf1
2 files changed, 46 insertions, 0 deletions
diff --git a/patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch b/patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
new file mode 100644
index 0000000000..ec4a754815
--- /dev/null
+++ b/patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
@@ -0,0 +1,45 @@
+From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 00:23:11 -0400
+Subject: [PATCH] ext4: add corruption check in ext4_xattr_set_entry()
+Git-commit: 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d
+Patch-mainline: v4.18-rc4
+References: bsc#1099844 cve-2018-10879
+
+In theory this should have been caught earlier when the xattr list was
+verified, but in case it got missed, it's simple enough to add check
+to make sure we don't overrun the xattr buffer.
+
+This addresses CVE-2018-10879.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200001
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/xattr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -652,12 +652,15 @@ static size_t ext4_xattr_free_space(stru
+ static int
+ ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s)
+ {
+- struct ext4_xattr_entry *last;
++ struct ext4_xattr_entry *last, *next;
+ size_t free, min_offs = s->end - s->base, name_len = strlen(i->name);
+
+ /* Compute min_offs and last. */
+ last = s->first;
+- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
++ for (; !IS_LAST_ENTRY(last); last = next) {
++ next = EXT4_XATTR_NEXT(last);
++ if ((void *)next >= s->end)
++ return -EFSCORRUPTED;
+ if (!last->e_value_block && last->e_value_size) {
+ size_t offs = le16_to_cpu(last->e_value_offs);
+ if (offs < min_offs)
diff --git a/series.conf b/series.conf
index 9ff099dfe9..9a7bcef3bf 100644
--- a/series.conf
+++ b/series.conf
@@ -7595,6 +7595,7 @@
patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch
patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch
patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch
+ patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch