diff options
| -rw-r--r-- | patches/cve/4.14.x.scc | 1 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch | 54 |
2 files changed, 55 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index f0ed95a..f47c792 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
| @@ -9,3 +9,4 @@ patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch | |||
| 9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch | 9 | patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch |
| 10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | 10 | patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch |
| 11 | patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch | 11 | patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch |
| 12 | patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch | ||
diff --git a/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch new file mode 100644 index 0000000..7b5e78f --- /dev/null +++ b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | From cb7ccb9924bb3596f211badf0d2becf131a979cd Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Darrick J. Wong" <darrick.wong@oracle.com> | ||
| 3 | Date: Tue, 17 Apr 2018 19:10:15 -0700 | ||
| 4 | Subject: [PATCH] xfs: don't fail when converting shortform attr to long form | ||
| 5 | during ATTR_REPLACE | ||
| 6 | |||
| 7 | commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c upstream. | ||
| 8 | |||
| 9 | Kanda Motohiro reported that expanding a tiny xattr into a large xattr | ||
| 10 | fails on XFS because we remove the tiny xattr from a shortform fork and | ||
| 11 | then try to re-add it after converting the fork to extents format having | ||
| 12 | not removed the ATTR_REPLACE flag. This fails because the attr is no | ||
| 13 | longer present, causing a fs shutdown. | ||
| 14 | |||
| 15 | This is derived from the patch in his bug report, but we really | ||
| 16 | shouldn't ignore a nonzero retval from the remove call. | ||
| 17 | |||
| 18 | CVE: CVE-2018-18690 | ||
| 19 | Upstream-Status: Backport | ||
| 20 | |||
| 21 | Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119 | ||
| 22 | Reported-by: kanda.motohiro@gmail.com | ||
| 23 | Reviewed-by: Dave Chinner <dchinner@redhat.com> | ||
| 24 | Reviewed-by: Christoph Hellwig <hch@lst.de> | ||
| 25 | Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> | ||
| 26 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
| 27 | Signed-off-by: Sasha Levin <sashal@kernel.org> | ||
| 28 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 29 | --- | ||
| 30 | fs/xfs/libxfs/xfs_attr.c | 9 ++++++++- | ||
| 31 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
| 32 | |||
| 33 | diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c | ||
| 34 | index 6249c92671de..ea66f04f46f7 100644 | ||
| 35 | --- a/fs/xfs/libxfs/xfs_attr.c | ||
| 36 | +++ b/fs/xfs/libxfs/xfs_attr.c | ||
| 37 | @@ -501,7 +501,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args) | ||
| 38 | if (args->flags & ATTR_CREATE) | ||
| 39 | return retval; | ||
| 40 | retval = xfs_attr_shortform_remove(args); | ||
| 41 | - ASSERT(retval == 0); | ||
| 42 | + if (retval) | ||
| 43 | + return retval; | ||
| 44 | + /* | ||
| 45 | + * Since we have removed the old attr, clear ATTR_REPLACE so | ||
| 46 | + * that the leaf format add routine won't trip over the attr | ||
| 47 | + * not being around. | ||
| 48 | + */ | ||
| 49 | + args->flags &= ~ATTR_REPLACE; | ||
| 50 | } | ||
| 51 | |||
| 52 | if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX || | ||
| 53 | -- | ||
| 54 | 2.19.2 | ||