From f2e51e17184ff2dd07e82de32281ac3fffa2228a Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Mon, 4 Feb 2019 13:19:35 +0100 Subject: xfs: CVE-2018-18690 xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE References: https://nvd.nist.gov/vuln/detail/CVE-2018-18690 https://github.com/torvalds/linux/commit/7b38460dc8e4eafba06c78f8e37099d3b34d473c Change-Id: Ib6d7cd2510bef1a68cfcdf77d631c5edc1e52477 Signed-off-by: Andreas Wellving --- patches/cve/4.14.x.scc | 1 + ...ail-when-converting-shortform-attr-to-lon.patch | 54 ++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index f0ed95a..f47c792 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc @@ -9,3 +9,4 @@ patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch +patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch diff --git a/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch new file mode 100644 index 0000000..7b5e78f --- /dev/null +++ b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch @@ -0,0 +1,54 @@ +From cb7ccb9924bb3596f211badf0d2becf131a979cd Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 17 Apr 2018 19:10:15 -0700 +Subject: [PATCH] xfs: don't fail when converting shortform attr to long form + during ATTR_REPLACE + +commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c upstream. + +Kanda Motohiro reported that expanding a tiny xattr into a large xattr +fails on XFS because we remove the tiny xattr from a shortform fork and +then try to re-add it after converting the fork to extents format having +not removed the ATTR_REPLACE flag. This fails because the attr is no +longer present, causing a fs shutdown. + +This is derived from the patch in his bug report, but we really +shouldn't ignore a nonzero retval from the remove call. + +CVE: CVE-2018-18690 +Upstream-Status: Backport + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119 +Reported-by: kanda.motohiro@gmail.com +Reviewed-by: Dave Chinner +Reviewed-by: Christoph Hellwig +Signed-off-by: Darrick J. Wong +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +Signed-off-by: Andreas Wellving +--- + fs/xfs/libxfs/xfs_attr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c +index 6249c92671de..ea66f04f46f7 100644 +--- a/fs/xfs/libxfs/xfs_attr.c ++++ b/fs/xfs/libxfs/xfs_attr.c +@@ -501,7 +501,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args) + if (args->flags & ATTR_CREATE) + return retval; + retval = xfs_attr_shortform_remove(args); +- ASSERT(retval == 0); ++ if (retval) ++ return retval; ++ /* ++ * Since we have removed the old attr, clear ATTR_REPLACE so ++ * that the leaf format add routine won't trip over the attr ++ * not being around. ++ */ ++ args->flags &= ~ATTR_REPLACE; + } + + if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX || +-- +2.19.2 -- cgit v1.2.3-54-g00ecf