diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-22 09:56:12 +0200 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-22 11:51:21 +0200 |
| commit | c998841ae1e763fbfa4b00b009114f18146bbe18 (patch) | |
| tree | c637f015f06aa3a97b46dbca2b7f4ea9553357af | |
| parent | fcd9aedd7bace7481289edecdf7cc1a9c74e2924 (diff) | |
| download | enea-kernel-cache-c998841ae1e763fbfa4b00b009114f18146bbe18.tar.gz | |
ext4: CVE-2018-11412
ext4: do not allow external inodes for inline data
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-11412
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=e81d371dac30019816a1c5a3a2c4c44bb3c68558
Change-Id: I99836f3a9cf50408d2644a7935a510e3adcce619
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch b/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch new file mode 100644 index 0000000..49a8664 --- /dev/null +++ b/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | From e81d371dac30019816a1c5a3a2c4c44bb3c68558 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Theodore Ts'o <tytso@mit.edu> | ||
| 3 | Date: Tue, 22 May 2018 16:15:24 -0400 | ||
| 4 | Subject: [PATCH] ext4: do not allow external inodes for inline data | ||
| 5 | |||
| 6 | commit 117166efb1ee8f13c38f9e96b258f16d4923f888 upstream. | ||
| 7 | |||
| 8 | The inline data feature was implemented before we added support for | ||
| 9 | external inodes for xattrs. It makes no sense to support that | ||
| 10 | combination, but the problem is that there are a number of extended | ||
| 11 | attribute checks that are skipped if e_value_inum is non-zero. | ||
| 12 | |||
| 13 | Unfortunately, the inline data code is completely e_value_inum | ||
| 14 | unaware, and attempts to interpret the xattr fields as if it were an | ||
| 15 | inline xattr --- at which point, Hilarty Ensues. | ||
| 16 | |||
| 17 | This addresses CVE-2018-11412. | ||
| 18 | |||
| 19 | https://bugzilla.kernel.org/show_bug.cgi?id=199803 | ||
| 20 | |||
| 21 | CVE: CVE-2018-11412 | ||
| 22 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=e81d371dac30019816a1c5a3a2c4c44bb3c68558] | ||
| 23 | |||
| 24 | Reported-by: Jann Horn <jannh@google.com> | ||
| 25 | Reviewed-by: Andreas Dilger <adilger@dilger.ca> | ||
| 26 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
| 27 | Fixes: e50e5129f384 ("ext4: xattr-in-inode support") | ||
| 28 | Cc: stable@kernel.org | ||
| 29 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 30 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 31 | --- | ||
| 32 | fs/ext4/inline.c | 6 ++++++ | ||
| 33 | 1 file changed, 6 insertions(+) | ||
| 34 | |||
| 35 | diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c | ||
| 36 | index fd9501977f1c..8f5dc243effd 100644 | ||
| 37 | --- a/fs/ext4/inline.c | ||
| 38 | +++ b/fs/ext4/inline.c | ||
| 39 | @@ -150,6 +150,12 @@ int ext4_find_inline_data_nolock(struct inode *inode) | ||
| 40 | goto out; | ||
| 41 | |||
| 42 | if (!is.s.not_found) { | ||
| 43 | + if (is.s.here->e_value_inum) { | ||
| 44 | + EXT4_ERROR_INODE(inode, "inline data xattr refers " | ||
| 45 | + "to an external xattr inode"); | ||
| 46 | + error = -EFSCORRUPTED; | ||
| 47 | + goto out; | ||
| 48 | + } | ||
| 49 | EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - | ||
| 50 | (void *)ext4_raw_inode(&is.iloc)); | ||
| 51 | EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + | ||
| 52 | -- | ||
| 53 | 2.20.1 | ||
| 54 | |||