diff options
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r-- | recipes-kernel/linux/linux-intel-rt_4.14.bbappend | 1 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-intel/CVE-2018-13093.patch | 148 |
2 files changed, 149 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 5578c7b..67e9661 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend | |||
@@ -8,6 +8,7 @@ KENEABRANCH = "intel-4.14" | |||
8 | SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \ | 8 | SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \ |
9 | file://CVE-2018-14734.patch \ | 9 | file://CVE-2018-14734.patch \ |
10 | file://CVE-2018-12233.patch \ | 10 | file://CVE-2018-12233.patch \ |
11 | file://CVE-2018-13093.patch \ | ||
11 | " | 12 | " |
12 | 13 | ||
13 | # Debug tools support | 14 | # Debug tools support |
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch b/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch new file mode 100644 index 0000000..87b53c3 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-13093.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From c2ae72c4e543148cfb4232617815942f3ad1d37a Mon Sep 17 00:00:00 2001 | ||
2 | From: Dave Chinner <dchinner@redhat.com> | ||
3 | Date: Fri, 23 Mar 2018 10:22:53 -0700 | ||
4 | Subject: [PATCH] xfs: validate cached inodes are free when allocated | ||
5 | |||
6 | commit afca6c5b2595fc44383919fba740c194b0b76aff upstream. | ||
7 | |||
8 | A recent fuzzed filesystem image cached random dcache corruption | ||
9 | when the reproducer was run. This often showed up as panics in | ||
10 | lookup_slow() on a null inode->i_ops pointer when doing pathwalks. | ||
11 | |||
12 | BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 | ||
13 | .... | ||
14 | Call Trace: | ||
15 | lookup_slow+0x44/0x60 | ||
16 | walk_component+0x3dd/0x9f0 | ||
17 | link_path_walk+0x4a7/0x830 | ||
18 | path_lookupat+0xc1/0x470 | ||
19 | filename_lookup+0x129/0x270 | ||
20 | user_path_at_empty+0x36/0x40 | ||
21 | path_listxattr+0x98/0x110 | ||
22 | SyS_listxattr+0x13/0x20 | ||
23 | do_syscall_64+0xf5/0x280 | ||
24 | entry_SYSCALL_64_after_hwframe+0x42/0xb7 | ||
25 | |||
26 | but had many different failure modes including deadlocks trying to | ||
27 | lock the inode that was just allocated or KASAN reports of | ||
28 | use-after-free violations. | ||
29 | |||
30 | The cause of the problem was a corrupt INOBT on a v4 fs where the | ||
31 | root inode was marked as free in the inobt record. Hence when we | ||
32 | allocated an inode, it chose the root inode to allocate, found it in | ||
33 | the cache and re-initialised it. | ||
34 | |||
35 | We recently fixed a similar inode allocation issue caused by inobt | ||
36 | record corruption problem in xfs_iget_cache_miss() in commit | ||
37 | ee457001ed6c ("xfs: catch inode allocation state mismatch | ||
38 | corruption"). This change adds similar checks to the cache-hit path | ||
39 | to catch it, and turns the reproducer into a corruption shutdown | ||
40 | situation. | ||
41 | |||
42 | CVE: CVE-2018-13093 | ||
43 | Upstream-Status: Backport | ||
44 | |||
45 | Reported-by: Wen Xu <wen.xu@gatech.edu> | ||
46 | Signed-Off-By: Dave Chinner <dchinner@redhat.com> | ||
47 | Reviewed-by: Christoph Hellwig <hch@lst.de> | ||
48 | Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> | ||
49 | Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> | ||
50 | [darrick: fix typos in comment] | ||
51 | Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> | ||
52 | Cc: Eduardo Valentin <eduval@amazon.com> | ||
53 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
54 | |||
55 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
56 | --- | ||
57 | fs/xfs/xfs_icache.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++------- | ||
58 | 1 file changed, 51 insertions(+), 7 deletions(-) | ||
59 | |||
60 | diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c | ||
61 | index 43005fb..544b521 100644 | ||
62 | --- a/fs/xfs/xfs_icache.c | ||
63 | +++ b/fs/xfs/xfs_icache.c | ||
64 | @@ -306,6 +306,46 @@ struct xfs_inode * | ||
65 | } | ||
66 | |||
67 | /* | ||
68 | + * If we are allocating a new inode, then check what was returned is | ||
69 | + * actually a free, empty inode. If we are not allocating an inode, | ||
70 | + * then check we didn't find a free inode. | ||
71 | + * | ||
72 | + * Returns: | ||
73 | + * 0 if the inode free state matches the lookup context | ||
74 | + * -ENOENT if the inode is free and we are not allocating | ||
75 | + * -EFSCORRUPTED if there is any state mismatch at all | ||
76 | + */ | ||
77 | +static int | ||
78 | +xfs_iget_check_free_state( | ||
79 | + struct xfs_inode *ip, | ||
80 | + int flags) | ||
81 | +{ | ||
82 | + if (flags & XFS_IGET_CREATE) { | ||
83 | + /* should be a free inode */ | ||
84 | + if (VFS_I(ip)->i_mode != 0) { | ||
85 | + xfs_warn(ip->i_mount, | ||
86 | +"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)", | ||
87 | + ip->i_ino, VFS_I(ip)->i_mode); | ||
88 | + return -EFSCORRUPTED; | ||
89 | + } | ||
90 | + | ||
91 | + if (ip->i_d.di_nblocks != 0) { | ||
92 | + xfs_warn(ip->i_mount, | ||
93 | +"Corruption detected! Free inode 0x%llx has blocks allocated!", | ||
94 | + ip->i_ino); | ||
95 | + return -EFSCORRUPTED; | ||
96 | + } | ||
97 | + return 0; | ||
98 | + } | ||
99 | + | ||
100 | + /* should be an allocated inode */ | ||
101 | + if (VFS_I(ip)->i_mode == 0) | ||
102 | + return -ENOENT; | ||
103 | + | ||
104 | + return 0; | ||
105 | +} | ||
106 | + | ||
107 | +/* | ||
108 | * Check the validity of the inode we just found it the cache | ||
109 | */ | ||
110 | static int | ||
111 | @@ -354,12 +394,12 @@ struct xfs_inode * | ||
112 | } | ||
113 | |||
114 | /* | ||
115 | - * If lookup is racing with unlink return an error immediately. | ||
116 | + * Check the inode free state is valid. This also detects lookup | ||
117 | + * racing with unlinks. | ||
118 | */ | ||
119 | - if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) { | ||
120 | - error = -ENOENT; | ||
121 | + error = xfs_iget_check_free_state(ip, flags); | ||
122 | + if (error) | ||
123 | goto out_error; | ||
124 | - } | ||
125 | |||
126 | /* | ||
127 | * If IRECLAIMABLE is set, we've torn down the VFS inode already. | ||
128 | @@ -475,10 +515,14 @@ struct xfs_inode * | ||
129 | |||
130 | trace_xfs_iget_miss(ip); | ||
131 | |||
132 | - if ((VFS_I(ip)->i_mode == 0) && !(flags & XFS_IGET_CREATE)) { | ||
133 | - error = -ENOENT; | ||
134 | + | ||
135 | + /* | ||
136 | + * Check the inode free state is valid. This also detects lookup | ||
137 | + * racing with unlinks. | ||
138 | + */ | ||
139 | + error = xfs_iget_check_free_state(ip, flags); | ||
140 | + if (error) | ||
141 | goto out_destroy; | ||
142 | - } | ||
143 | |||
144 | /* | ||
145 | * Preload the radix tree so we can insert safely under the | ||
146 | -- | ||
147 | 1.9.1 | ||
148 | |||