linux-intel-rt: Fix for CVE-2018-13093

References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-13093 Change-Id: Ib4fb2a6efdbd4e47527618aaeb9151aeb2ec9738 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2018-09-19 12:48:03 +0200
committer: Martin Borg <martin.borg@enea.com> 2018-09-21 14:41:48 +0200
commit: 3547448d2fd86248c11d256e4ae4f02adea67d47 (patch)
tree: bec24f5e510364422ccc5e6a72f56e2505ce5efa
parent: 06c18f7408509b7a9a39081260fb6c742af1e2c9 (diff)
download: meta-enea-bsp-x86-3547448d2fd86248c11d256e4ae4f02adea67d47.tar.gz
2 files changed, 149 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
index 5578c7b..67e9661 100644
--- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -8,6 +8,7 @@ KENEABRANCH = "intel-4.14"
 SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
                   file://CVE-2018-14734.patch \
                   file://CVE-2018-12233.patch \
+                   file://CVE-2018-13093.patch \
                 "
 # Debug tools support
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch b/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch
new file mode 100644
index 0000000..87b53c3
--- /dev/null
+++ b/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch
@@ -0,0 +1,148 @@
+From c2ae72c4e543148cfb4232617815942f3ad1d37a Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Fri, 23 Mar 2018 10:22:53 -0700
+Subject: [PATCH] xfs: validate cached inodes are free when allocated
+commit afca6c5b2595fc44383919fba740c194b0b76aff upstream.
+A recent fuzzed filesystem image cached random dcache corruption
+when the reproducer was run. This often showed up as panics in
+lookup_slow() on a null inode->i_ops pointer when doing pathwalks.
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+....
+Call Trace:
+ lookup_slow+0x44/0x60
+ walk_component+0x3dd/0x9f0
+ link_path_walk+0x4a7/0x830
+ path_lookupat+0xc1/0x470
+ filename_lookup+0x129/0x270
+ user_path_at_empty+0x36/0x40
+ path_listxattr+0x98/0x110
+ SyS_listxattr+0x13/0x20
+ do_syscall_64+0xf5/0x280
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+but had many different failure modes including deadlocks trying to
+lock the inode that was just allocated or KASAN reports of
+use-after-free violations.
+The cause of the problem was a corrupt INOBT on a v4 fs where the
+root inode was marked as free in the inobt record. Hence when we
+allocated an inode, it chose the root inode to allocate, found it in
+the cache and re-initialised it.
+We recently fixed a similar inode allocation issue caused by inobt
+record corruption problem in xfs_iget_cache_miss() in commit
+ee457001ed6c ("xfs: catch inode allocation state mismatch
+corruption"). This change adds similar checks to the cache-hit path
+to catch it, and turns the reproducer into a corruption shutdown
+situation.
+CVE: CVE-2018-13093
+Upstream-Status: Backport
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-Off-By: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+[darrick: fix typos in comment]
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Cc: Eduardo Valentin <eduval@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/xfs/xfs_icache.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 51 insertions(+), 7 deletions(-)
+diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
+index 43005fb..544b521 100644
+--- a/fs/xfs/xfs_icache.c
+++ b/fs/xfs/xfs_icache.c
+@@ -306,6 +306,46 @@ struct xfs_inode *
+ }
+ 
+ /*
+ * If we are allocating a new inode, then check what was returned is
+ * actually a free, empty inode. If we are not allocating an inode,
+ * then check we didn't find a free inode.
+ *
+ * Returns:
+ *     0               if the inode free state matches the lookup context
+ *     -ENOENT         if the inode is free and we are not allocating
+ *     -EFSCORRUPTED   if there is any state mismatch at all
+ */
+static int
+xfs_iget_check_free_state(
+       struct xfs_inode        *ip,
+       int                     flags)
+{
+       if (flags & XFS_IGET_CREATE) {
+               /* should be a free inode */
+               if (VFS_I(ip)->i_mode != 0) {
+                       xfs_warn(ip->i_mount,
+"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)",
+                               ip->i_ino, VFS_I(ip)->i_mode);
+                       return -EFSCORRUPTED;
+               }
+
+               if (ip->i_d.di_nblocks != 0) {
+                       xfs_warn(ip->i_mount,
+"Corruption detected! Free inode 0x%llx has blocks allocated!",
+                               ip->i_ino);
+                       return -EFSCORRUPTED;
+               }
+               return 0;
+       }
+
+       /* should be an allocated inode */
+       if (VFS_I(ip)->i_mode == 0)
+               return -ENOENT;
+
+       return 0;
+}
+
+/*
+  * Check the validity of the inode we just found it the cache
+  */
+ static int
+@@ -354,12 +394,12 @@ struct xfs_inode *
+        }
+ 
+        /*
+-        * If lookup is racing with unlink return an error immediately.
+        * Check the inode free state is valid. This also detects lookup
+        * racing with unlinks.
+         */
+-       if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) {
+-               error = -ENOENT;
+       error = xfs_iget_check_free_state(ip, flags);
+       if (error)
+                goto out_error;
+-       }
+ 
+        /*
+         * If IRECLAIMABLE is set, we've torn down the VFS inode already.
+@@ -475,10 +515,14 @@ struct xfs_inode *
+ 
+        trace_xfs_iget_miss(ip);
+ 
+-       if ((VFS_I(ip)->i_mode == 0) && !(flags & XFS_IGET_CREATE)) {
+-               error = -ENOENT;
+
+       /*
+        * Check the inode free state is valid. This also detects lookup
+        * racing with unlinks.
+        */
+       error = xfs_iget_check_free_state(ip, flags);
+       if (error)
+                goto out_destroy;
+-       }
+ 
+        /*
+         * Preload the radix tree so we can insert safely under the
+-- 
+1.9.1
author	Sona Sarmadi <sona.sarmadi@enea.com>	2018-09-19 12:48:03 +0200
committer	Martin Borg <martin.borg@enea.com>	2018-09-21 14:41:48 +0200
commit	3547448d2fd86248c11d256e4ae4f02adea67d47 (patch)
tree	bec24f5e510364422ccc5e6a72f56e2505ce5efa
parent	06c18f7408509b7a9a39081260fb6c742af1e2c9 (diff)
download	meta-enea-bsp-x86-3547448d2fd86248c11d256e4ae4f02adea67d47.tar.gz

diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 5578c7b..67e9661 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -8,6 +8,7 @@ KENEABRANCH = "intel-4.14"
8	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \	8	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
9	file://CVE-2018-14734.patch \	9	file://CVE-2018-14734.patch \
10	file://CVE-2018-12233.patch \	10	file://CVE-2018-12233.patch \
		11	file://CVE-2018-13093.patch \
11	"	12	"
12		13
13	# Debug tools support	14	# Debug tools support


diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch b/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch new file mode 100644 index 0000000..87b53c3 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch
@@ -0,0 +1,148 @@
		1	From c2ae72c4e543148cfb4232617815942f3ad1d37a Mon Sep 17 00:00:00 2001
		2	From: Dave Chinner <dchinner@redhat.com>
		3	Date: Fri, 23 Mar 2018 10:22:53 -0700
		4	Subject: [PATCH] xfs: validate cached inodes are free when allocated
		5
		6	commit afca6c5b2595fc44383919fba740c194b0b76aff upstream.
		7
		8	A recent fuzzed filesystem image cached random dcache corruption
		9	when the reproducer was run. This often showed up as panics in
		10	lookup_slow() on a null inode->i_ops pointer when doing pathwalks.
		11
		12	BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
		13	....
		14	Call Trace:
		15	lookup_slow+0x44/0x60
		16	walk_component+0x3dd/0x9f0
		17	link_path_walk+0x4a7/0x830
		18	path_lookupat+0xc1/0x470
		19	filename_lookup+0x129/0x270
		20	user_path_at_empty+0x36/0x40
		21	path_listxattr+0x98/0x110
		22	SyS_listxattr+0x13/0x20
		23	do_syscall_64+0xf5/0x280
		24	entry_SYSCALL_64_after_hwframe+0x42/0xb7
		25
		26	but had many different failure modes including deadlocks trying to
		27	lock the inode that was just allocated or KASAN reports of
		28	use-after-free violations.
		29
		30	The cause of the problem was a corrupt INOBT on a v4 fs where the
		31	root inode was marked as free in the inobt record. Hence when we
		32	allocated an inode, it chose the root inode to allocate, found it in
		33	the cache and re-initialised it.
		34
		35	We recently fixed a similar inode allocation issue caused by inobt
		36	record corruption problem in xfs_iget_cache_miss() in commit
		37	ee457001ed6c ("xfs: catch inode allocation state mismatch
		38	corruption"). This change adds similar checks to the cache-hit path
		39	to catch it, and turns the reproducer into a corruption shutdown
		40	situation.
		41
		42	CVE: CVE-2018-13093
		43	Upstream-Status: Backport
		44
		45	Reported-by: Wen Xu <wen.xu@gatech.edu>
		46	Signed-Off-By: Dave Chinner <dchinner@redhat.com>
		47	Reviewed-by: Christoph Hellwig <hch@lst.de>
		48	Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
		49	Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
		50	[darrick: fix typos in comment]
		51	Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
		52	Cc: Eduardo Valentin <eduval@amazon.com>
		53	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		54
		55	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		56	---
		57	fs/xfs/xfs_icache.c \| 58 ++++++++++++++++++++++++++++++++++++++++++++++-------
		58	1 file changed, 51 insertions(+), 7 deletions(-)
		59
		60	diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
		61	index 43005fb..544b521 100644
		62	--- a/fs/xfs/xfs_icache.c
		63	+++ b/fs/xfs/xfs_icache.c
		64	@@ -306,6 +306,46 @@ struct xfs_inode *
		65	}
		66
		67	/*
		68	+ * If we are allocating a new inode, then check what was returned is
		69	+ * actually a free, empty inode. If we are not allocating an inode,
		70	+ * then check we didn't find a free inode.
		71	+ *
		72	+ * Returns:
		73	+ * 0 if the inode free state matches the lookup context
		74	+ * -ENOENT if the inode is free and we are not allocating
		75	+ * -EFSCORRUPTED if there is any state mismatch at all
		76	+ */
		77	+static int
		78	+xfs_iget_check_free_state(
		79	+ struct xfs_inode *ip,
		80	+ int flags)
		81	+{
		82	+ if (flags & XFS_IGET_CREATE) {
		83	+ /* should be a free inode */
		84	+ if (VFS_I(ip)->i_mode != 0) {
		85	+ xfs_warn(ip->i_mount,
		86	+"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)",
		87	+ ip->i_ino, VFS_I(ip)->i_mode);
		88	+ return -EFSCORRUPTED;
		89	+ }
		90	+
		91	+ if (ip->i_d.di_nblocks != 0) {
		92	+ xfs_warn(ip->i_mount,
		93	+"Corruption detected! Free inode 0x%llx has blocks allocated!",
		94	+ ip->i_ino);
		95	+ return -EFSCORRUPTED;
		96	+ }
		97	+ return 0;
		98	+ }
		99	+
		100	+ /* should be an allocated inode */
		101	+ if (VFS_I(ip)->i_mode == 0)
		102	+ return -ENOENT;
		103	+
		104	+ return 0;
		105	+}
		106	+
		107	+/*
		108	* Check the validity of the inode we just found it the cache
		109	*/
		110	static int
		111	@@ -354,12 +394,12 @@ struct xfs_inode *
		112	}
		113
		114	/*
		115	- * If lookup is racing with unlink return an error immediately.
		116	+ * Check the inode free state is valid. This also detects lookup
		117	+ * racing with unlinks.
		118	*/
		119	- if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) {
		120	- error = -ENOENT;
		121	+ error = xfs_iget_check_free_state(ip, flags);
		122	+ if (error)
		123	goto out_error;
		124	- }
		125
		126	/*
		127	* If IRECLAIMABLE is set, we've torn down the VFS inode already.
		128	@@ -475,10 +515,14 @@ struct xfs_inode *
		129
		130	trace_xfs_iget_miss(ip);
		131
		132	- if ((VFS_I(ip)->i_mode == 0) && !(flags & XFS_IGET_CREATE)) {
		133	- error = -ENOENT;
		134	+
		135	+ /*
		136	+ * Check the inode free state is valid. This also detects lookup
		137	+ * racing with unlinks.
		138	+ */
		139	+ error = xfs_iget_check_free_state(ip, flags);
		140	+ if (error)
		141	goto out_destroy;
		142	- }
		143
		144	/*
		145	* Preload the radix tree so we can insert safely under the
		146	--
		147	1.9.1
		148