ext4: CVE-2018-10880

ext4: never move the system.data xattr out of the inode body References: https://nvd.nist.gov/vuln/detail/CVE-2018-10880 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=3a282476161c54df1a2ef1ba664c8a3514ef49f4 Change-Id: I5a9cc26679b67e63059e9a4a3728f3ee1e68d57e Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 15:18:34 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 12:04:56 +0200
commit: 6481019cced41109508ec7356686657233a12a7a (patch)
tree: ee4f5964d526b1548255c894ae1150d6f4f9dd2a
parent: 7acc62ca97b9e2b2606a2631e40e2e5c6b6974eb (diff)
download: enea-kernel-cache-6481019cced41109508ec7356686657233a12a7a.tar.gz
2 files changed, 51 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 9f87873..935280b 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -55,6 +55,9 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
 #CVEs fixed in 4.9.128:
 patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
+#CVEs fixed in 4.9.131:
+patch CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
 #CVEs fixed in 4.9.138:
 patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
diff --git a/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
new file mode 100644
index 0000000..d6220ca
--- /dev/null
+++ b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,48 @@
+From 3a282476161c54df1a2ef1ba664c8a3514ef49f4 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 15:40:48 -0400
+Subject: [PATCH] ext4: never move the system.data xattr out of the inode body
+commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
+When expanding the extra isize space, we must never move the
+system.data xattr out of the inode body.  For performance reasons, it
+doesn't make any sense, and the inline data implementation assumes
+that system.data xattr is never in the external xattr block.
+This addresses CVE-2018-10880
+https://bugzilla.kernel.org/show_bug.cgi?id=200005
+CVE: CVE-2018-10880
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=3a282476161c54df1a2ef1ba664c8a3514ef49f4]
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+[groeck: Context changes]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/xattr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index fdcbe0f2814f..c19c96840480 100644
+--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
+@@ -1426,6 +1426,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode,
+                last = IFIRST(header);
+                /* Find the entry best suited to be pushed into EA block */
+                for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
+                       /* never move system.data out of the inode */
+                       if ((last->e_name_len == 4) &&
+                           (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
+                           !memcmp(last->e_name, "data", 4))
+                               continue;
+                        total_size =
+                        EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) +
+                                        EXT4_XATTR_LEN(last->e_name_len);
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 15:18:34 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 12:04:56 +0200
commit	6481019cced41109508ec7356686657233a12a7a (patch)
tree	ee4f5964d526b1548255c894ae1150d6f4f9dd2a
parent	7acc62ca97b9e2b2606a2631e40e2e5c6b6974eb (diff)
download	enea-kernel-cache-6481019cced41109508ec7356686657233a12a7a.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 9f87873..935280b 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -55,6 +55,9 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
55	#CVEs fixed in 4.9.128:	55	#CVEs fixed in 4.9.128:
56	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch	56	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
57		57
		58	#CVEs fixed in 4.9.131:
		59	patch CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
		60
58	#CVEs fixed in 4.9.138:	61	#CVEs fixed in 4.9.138:
59	patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch	62	patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
60		63


diff --git a/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch new file mode 100644 index 0000000..d6220ca --- /dev/null +++ b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,48 @@
		1	From 3a282476161c54df1a2ef1ba664c8a3514ef49f4 Mon Sep 17 00:00:00 2001
		2	From: Theodore Ts'o <tytso@mit.edu>
		3	Date: Sat, 16 Jun 2018 15:40:48 -0400
		4	Subject: [PATCH] ext4: never move the system.data xattr out of the inode body
		5
		6	commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
		7
		8	When expanding the extra isize space, we must never move the
		9	system.data xattr out of the inode body. For performance reasons, it
		10	doesn't make any sense, and the inline data implementation assumes
		11	that system.data xattr is never in the external xattr block.
		12
		13	This addresses CVE-2018-10880
		14
		15	https://bugzilla.kernel.org/show_bug.cgi?id=200005
		16
		17	CVE: CVE-2018-10880
		18	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=3a282476161c54df1a2ef1ba664c8a3514ef49f4]
		19
		20	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
		21	Cc: stable@kernel.org
		22	[groeck: Context changes]
		23	Signed-off-by: Guenter Roeck <linux@roeck-us.net>
		24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		25	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		26	---
		27	fs/ext4/xattr.c \| 5 +++++
		28	1 file changed, 5 insertions(+)
		29
		30	diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
		31	index fdcbe0f2814f..c19c96840480 100644
		32	--- a/fs/ext4/xattr.c
		33	+++ b/fs/ext4/xattr.c
		34	@@ -1426,6 +1426,11 @@ static int ext4_xattr_make_inode_space(handle_t handle, struct inode inode,
		35	last = IFIRST(header);
		36	/* Find the entry best suited to be pushed into EA block */
		37	for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
		38	+ /* never move system.data out of the inode */
		39	+ if ((last->e_name_len == 4) &&
		40	+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
		41	+ !memcmp(last->e_name, "data", 4))
		42	+ continue;
		43	total_size =
		44	EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) +
		45	EXT4_XATTR_LEN(last->e_name_len);
		46	--
		47	2.20.1
		48