diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-22 06:03:23 +0200 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-22 11:15:02 +0200 |
| commit | 15562bca35796a4dca667df8a87181ffbeaafa12 (patch) | |
| tree | 57162e5b3e8efb6ea375cdfb38ae31cdd4d945dc | |
| parent | 00ec0744691cc2d8f41538ce04201faa4feac055 (diff) | |
| download | enea-kernel-cache-15562bca35796a4dca667df8a87181ffbeaafa12.tar.gz | |
ext4: CVE-2018-1095
ext4: limit xattr size to INT_MAX
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-1095
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=a57eb14b740e6175aff8b8941bec628403992dfa
Change-Id: I90e88ed42d43abb205c025cc3739a6030adfcb3f
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/CVE-2018-1095-ext4-limit-xattr-size-to-INT_MAX.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-1095-ext4-limit-xattr-size-to-INT_MAX.patch b/patches/cve/CVE-2018-1095-ext4-limit-xattr-size-to-INT_MAX.patch new file mode 100644 index 0000000..3725db6 --- /dev/null +++ b/patches/cve/CVE-2018-1095-ext4-limit-xattr-size-to-INT_MAX.patch | |||
| @@ -0,0 +1,59 @@ | |||
| 1 | From a57eb14b740e6175aff8b8941bec628403992dfa Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eric Biggers <ebiggers@google.com> | ||
| 3 | Date: Thu, 29 Mar 2018 14:31:42 -0400 | ||
| 4 | Subject: [PATCH] ext4: limit xattr size to INT_MAX | ||
| 5 | |||
| 6 | commit ce3fd194fcc6fbdc00ce095a852f22df97baa401 upstream. | ||
| 7 | |||
| 8 | ext4 isn't validating the sizes of xattrs where the value of the xattr | ||
| 9 | is stored in an external inode. This is problematic because | ||
| 10 | ->e_value_size is a u32, but ext4_xattr_get() returns an int. A very | ||
| 11 | large size is misinterpreted as an error code, which ext4_get_acl() | ||
| 12 | translates into a bogus ERR_PTR() for which IS_ERR() returns false, | ||
| 13 | causing a crash. | ||
| 14 | |||
| 15 | Fix this by validating that all xattrs are <= INT_MAX bytes. | ||
| 16 | |||
| 17 | This issue has been assigned CVE-2018-1095. | ||
| 18 | |||
| 19 | https://bugzilla.kernel.org/show_bug.cgi?id=199185 | ||
| 20 | https://bugzilla.redhat.com/show_bug.cgi?id=1560793 | ||
| 21 | |||
| 22 | CVE: CVE-2018-1095 | ||
| 23 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=a57eb14b740e6175aff8b8941bec628403992dfa] | ||
| 24 | |||
| 25 | Reported-by: Wen Xu <wen.xu@gatech.edu> | ||
| 26 | Signed-off-by: Eric Biggers <ebiggers@google.com> | ||
| 27 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
| 28 | Cc: stable@vger.kernel.org | ||
| 29 | Fixes: e50e5129f384 ("ext4: xattr-in-inode support") | ||
| 30 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 31 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 32 | --- | ||
| 33 | fs/ext4/xattr.c | 9 ++++++--- | ||
| 34 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
| 35 | |||
| 36 | diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c | ||
| 37 | index 218a7ba57819..5d0f5ba5c6f5 100644 | ||
| 38 | --- a/fs/ext4/xattr.c | ||
| 39 | +++ b/fs/ext4/xattr.c | ||
| 40 | @@ -194,10 +194,13 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end, | ||
| 41 | |||
| 42 | /* Check the values */ | ||
| 43 | while (!IS_LAST_ENTRY(entry)) { | ||
| 44 | - if (entry->e_value_size != 0 && | ||
| 45 | - entry->e_value_inum == 0) { | ||
| 46 | + u32 size = le32_to_cpu(entry->e_value_size); | ||
| 47 | + | ||
| 48 | + if (size > INT_MAX) | ||
| 49 | + return -EFSCORRUPTED; | ||
| 50 | + | ||
| 51 | + if (size != 0 && entry->e_value_inum == 0) { | ||
| 52 | u16 offs = le16_to_cpu(entry->e_value_offs); | ||
| 53 | - u32 size = le32_to_cpu(entry->e_value_size); | ||
| 54 | void *value; | ||
| 55 | |||
| 56 | /* | ||
| 57 | -- | ||
| 58 | 2.20.1 | ||
| 59 | |||