xfs: CVE-2018-18690

xfs: don't fail when converting shortform attr to long form during
ATTR_REPLACE

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-18690
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4ec44e98ab08c704d0ff1a35a21a0682a5562a27

Change-Id: Ic58d7bf2b31d45dcfa68a0d092b22d02d8065fdc
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 58 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 8e6776b..9665d3f 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -57,3 +57,6 @@ patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
 
 #CVEs fixed in 4.9.138:
 patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
+
+#CVEs fixed in 4.9.144:
+patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
diff --git a/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
new file mode 100644
index 0000000..ca65d82
--- /dev/null
+++ b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
@@ -0,0 +1,55 @@
+From 4ec44e98ab08c704d0ff1a35a21a0682a5562a27 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Apr 2018 19:10:15 -0700
+Subject: [PATCH] xfs: don't fail when converting shortform attr to long form
+ during ATTR_REPLACE
+
+commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c upstream.
+
+Kanda Motohiro reported that expanding a tiny xattr into a large xattr
+fails on XFS because we remove the tiny xattr from a shortform fork and
+then try to re-add it after converting the fork to extents format having
+not removed the ATTR_REPLACE flag.  This fails because the attr is no
+longer present, causing a fs shutdown.
+
+This is derived from the patch in his bug report, but we really
+shouldn't ignore a nonzero retval from the remove call.
+
+CVE: CVE-2018-18690
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4ec44e98ab08c704d0ff1a35a21a0682a5562a27]
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119
+Reported-by: kanda.motohiro@gmail.com
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/xfs/libxfs/xfs_attr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
+index 6622d46ddec3..9687208c676f 100644
+--- a/fs/xfs/libxfs/xfs_attr.c
++++ b/fs/xfs/libxfs/xfs_attr.c
+@@ -487,7 +487,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args)
+                if (args->flags & ATTR_CREATE)
+                        return retval;
+                retval = xfs_attr_shortform_remove(args);
+-               ASSERT(retval == 0);
++               if (retval)
++                       return retval;
++               /*
++                * Since we have removed the old attr, clear ATTR_REPLACE so
++                * that the leaf format add routine won't trip over the attr
++                * not being around.
++                */
++               args->flags &= ~ATTR_REPLACE;
+        }
+ 
+        if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX ||
+-- 
+2.20.1
+