ext4: CVE-2018-10880

ext4: never move the system.data xattr out of the inode body References: https://nvd.nist.gov/vuln/detail/CVE-2018-10880 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=3a282476161c54df1a2ef1ba664c8a3514ef49f4 Change-Id: I2245006d33be0a1474dadd5a676266717776c294 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 12:17:57 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 15:09:23 +0200
commit: 7b166ca3cd7089aeb912b54d218697fb01591818 (patch)
tree: 32182f49677d7226e148ad4129e1574aff086f56
parent: da9b21cafedbe210b4d6b399e513a21017fee7c1 (diff)
download: enea-kernel-cache-7b166ca3cd7089aeb912b54d218697fb01591818.tar.gz
2 files changed, 51 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 18412cb..b4740c7 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -20,6 +20,9 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
 #CVEs fixed in 4.9.128:
 patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
+#CVEs fixed in 4.9.131:
+patch CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
 #CVEs fixed in 4.9.138:
 patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
diff --git a/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
new file mode 100644
index 0000000..d6220ca
--- /dev/null
+++ b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,48 @@
+From 3a282476161c54df1a2ef1ba664c8a3514ef49f4 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 15:40:48 -0400
+Subject: [PATCH] ext4: never move the system.data xattr out of the inode body
+commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
+When expanding the extra isize space, we must never move the
+system.data xattr out of the inode body.  For performance reasons, it
+doesn't make any sense, and the inline data implementation assumes
+that system.data xattr is never in the external xattr block.
+This addresses CVE-2018-10880
+https://bugzilla.kernel.org/show_bug.cgi?id=200005
+CVE: CVE-2018-10880
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=3a282476161c54df1a2ef1ba664c8a3514ef49f4]
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+[groeck: Context changes]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/xattr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index fdcbe0f2814f..c19c96840480 100644
+--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
+@@ -1426,6 +1426,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode,
+                last = IFIRST(header);
+                /* Find the entry best suited to be pushed into EA block */
+                for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
+                       /* never move system.data out of the inode */
+                       if ((last->e_name_len == 4) &&
+                           (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
+                           !memcmp(last->e_name, "data", 4))
+                               continue;
+                        total_size =
+                        EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) +
+                                        EXT4_XATTR_LEN(last->e_name_len);
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 12:17:57 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 15:09:23 +0200
commit	7b166ca3cd7089aeb912b54d218697fb01591818 (patch)
tree	32182f49677d7226e148ad4129e1574aff086f56
parent	da9b21cafedbe210b4d6b399e513a21017fee7c1 (diff)
download	enea-kernel-cache-7b166ca3cd7089aeb912b54d218697fb01591818.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 18412cb..b4740c7 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -20,6 +20,9 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
20	#CVEs fixed in 4.9.128:	20	#CVEs fixed in 4.9.128:
21	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch	21	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
22		22
		23	#CVEs fixed in 4.9.131:
		24	patch CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
		25
23	#CVEs fixed in 4.9.138:	26	#CVEs fixed in 4.9.138:
24	patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch	27	patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
25		28


diff --git a/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch new file mode 100644 index 0000000..d6220ca --- /dev/null +++ b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,48 @@
		1	From 3a282476161c54df1a2ef1ba664c8a3514ef49f4 Mon Sep 17 00:00:00 2001
		2	From: Theodore Ts'o <tytso@mit.edu>
		3	Date: Sat, 16 Jun 2018 15:40:48 -0400
		4	Subject: [PATCH] ext4: never move the system.data xattr out of the inode body
		5
		6	commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
		7
		8	When expanding the extra isize space, we must never move the
		9	system.data xattr out of the inode body. For performance reasons, it
		10	doesn't make any sense, and the inline data implementation assumes
		11	that system.data xattr is never in the external xattr block.
		12
		13	This addresses CVE-2018-10880
		14
		15	https://bugzilla.kernel.org/show_bug.cgi?id=200005
		16
		17	CVE: CVE-2018-10880
		18	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=3a282476161c54df1a2ef1ba664c8a3514ef49f4]
		19
		20	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
		21	Cc: stable@kernel.org
		22	[groeck: Context changes]
		23	Signed-off-by: Guenter Roeck <linux@roeck-us.net>
		24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		25	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		26	---
		27	fs/ext4/xattr.c \| 5 +++++
		28	1 file changed, 5 insertions(+)
		29
		30	diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
		31	index fdcbe0f2814f..c19c96840480 100644
		32	--- a/fs/ext4/xattr.c
		33	+++ b/fs/ext4/xattr.c
		34	@@ -1426,6 +1426,11 @@ static int ext4_xattr_make_inode_space(handle_t handle, struct inode inode,
		35	last = IFIRST(header);
		36	/* Find the entry best suited to be pushed into EA block */
		37	for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
		38	+ /* never move system.data out of the inode */
		39	+ if ((last->e_name_len == 4) &&
		40	+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
		41	+ !memcmp(last->e_name, "data", 4))
		42	+ continue;
		43	total_size =
		44	EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) +
		45	EXT4_XATTR_LEN(last->e_name_len);
		46	--
		47	2.20.1
		48