diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 13:19:35 +0100 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 13:19:35 +0100 |
commit | f2e51e17184ff2dd07e82de32281ac3fffa2228a (patch) | |
tree | f2bd1cb8b6a2306bb55e3db798a0f5e78a744b9d /patches/cve | |
parent | 84776d648fde1c97c351e3b465b2e4dd9d8c8ddd (diff) | |
download | enea-kernel-cache-f2e51e17184ff2dd07e82de32281ac3fffa2228a.tar.gz |
xfs: CVE-2018-18690
xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-18690
https://github.com/torvalds/linux/commit/7b38460dc8e4eafba06c78f8e37099d3b34d473c
Change-Id: Ib6d7cd2510bef1a68cfcdf77d631c5edc1e52477
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Diffstat (limited to 'patches/cve')
-rw-r--r-- | patches/cve/4.14.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch | 54 |
2 files changed, 55 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index f0ed95a..f47c792 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
@@ -9,3 +9,4 @@ patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | |||
9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | 9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch |
10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | 10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch |
11 | patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch | 11 | patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch |
12 | patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch | ||
diff --git a/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch new file mode 100644 index 0000000..7b5e78f --- /dev/null +++ b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From cb7ccb9924bb3596f211badf0d2becf131a979cd Mon Sep 17 00:00:00 2001 | ||
2 | From: "Darrick J. Wong" <darrick.wong@oracle.com> | ||
3 | Date: Tue, 17 Apr 2018 19:10:15 -0700 | ||
4 | Subject: [PATCH] xfs: don't fail when converting shortform attr to long form | ||
5 | during ATTR_REPLACE | ||
6 | |||
7 | commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c upstream. | ||
8 | |||
9 | Kanda Motohiro reported that expanding a tiny xattr into a large xattr | ||
10 | fails on XFS because we remove the tiny xattr from a shortform fork and | ||
11 | then try to re-add it after converting the fork to extents format having | ||
12 | not removed the ATTR_REPLACE flag. This fails because the attr is no | ||
13 | longer present, causing a fs shutdown. | ||
14 | |||
15 | This is derived from the patch in his bug report, but we really | ||
16 | shouldn't ignore a nonzero retval from the remove call. | ||
17 | |||
18 | CVE: CVE-2018-18690 | ||
19 | Upstream-Status: Backport | ||
20 | |||
21 | Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119 | ||
22 | Reported-by: kanda.motohiro@gmail.com | ||
23 | Reviewed-by: Dave Chinner <dchinner@redhat.com> | ||
24 | Reviewed-by: Christoph Hellwig <hch@lst.de> | ||
25 | Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> | ||
26 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
27 | Signed-off-by: Sasha Levin <sashal@kernel.org> | ||
28 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
29 | --- | ||
30 | fs/xfs/libxfs/xfs_attr.c | 9 ++++++++- | ||
31 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c | ||
34 | index 6249c92671de..ea66f04f46f7 100644 | ||
35 | --- a/fs/xfs/libxfs/xfs_attr.c | ||
36 | +++ b/fs/xfs/libxfs/xfs_attr.c | ||
37 | @@ -501,7 +501,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args) | ||
38 | if (args->flags & ATTR_CREATE) | ||
39 | return retval; | ||
40 | retval = xfs_attr_shortform_remove(args); | ||
41 | - ASSERT(retval == 0); | ||
42 | + if (retval) | ||
43 | + return retval; | ||
44 | + /* | ||
45 | + * Since we have removed the old attr, clear ATTR_REPLACE so | ||
46 | + * that the leaf format add routine won't trip over the attr | ||
47 | + * not being around. | ||
48 | + */ | ||
49 | + args->flags &= ~ATTR_REPLACE; | ||
50 | } | ||
51 | |||
52 | if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX || | ||
53 | -- | ||
54 | 2.19.2 | ||