diff options
| -rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch | 48 |
2 files changed, 51 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 18412cb..b4740c7 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -20,6 +20,9 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch | |||
| 20 | #CVEs fixed in 4.9.128: | 20 | #CVEs fixed in 4.9.128: |
| 21 | patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch | 21 | patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch |
| 22 | 22 | ||
| 23 | #CVEs fixed in 4.9.131: | ||
| 24 | patch CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch | ||
| 25 | |||
| 23 | #CVEs fixed in 4.9.138: | 26 | #CVEs fixed in 4.9.138: |
| 24 | patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch | 27 | patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch |
| 25 | 28 | ||
diff --git a/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch new file mode 100644 index 0000000..d6220ca --- /dev/null +++ b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch | |||
| @@ -0,0 +1,48 @@ | |||
| 1 | From 3a282476161c54df1a2ef1ba664c8a3514ef49f4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Theodore Ts'o <tytso@mit.edu> | ||
| 3 | Date: Sat, 16 Jun 2018 15:40:48 -0400 | ||
| 4 | Subject: [PATCH] ext4: never move the system.data xattr out of the inode body | ||
| 5 | |||
| 6 | commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream. | ||
| 7 | |||
| 8 | When expanding the extra isize space, we must never move the | ||
| 9 | system.data xattr out of the inode body. For performance reasons, it | ||
| 10 | doesn't make any sense, and the inline data implementation assumes | ||
| 11 | that system.data xattr is never in the external xattr block. | ||
| 12 | |||
| 13 | This addresses CVE-2018-10880 | ||
| 14 | |||
| 15 | https://bugzilla.kernel.org/show_bug.cgi?id=200005 | ||
| 16 | |||
| 17 | CVE: CVE-2018-10880 | ||
| 18 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=3a282476161c54df1a2ef1ba664c8a3514ef49f4] | ||
| 19 | |||
| 20 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
| 21 | Cc: stable@kernel.org | ||
| 22 | [groeck: Context changes] | ||
| 23 | Signed-off-by: Guenter Roeck <linux@roeck-us.net> | ||
| 24 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 25 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 26 | --- | ||
| 27 | fs/ext4/xattr.c | 5 +++++ | ||
| 28 | 1 file changed, 5 insertions(+) | ||
| 29 | |||
| 30 | diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c | ||
| 31 | index fdcbe0f2814f..c19c96840480 100644 | ||
| 32 | --- a/fs/ext4/xattr.c | ||
| 33 | +++ b/fs/ext4/xattr.c | ||
| 34 | @@ -1426,6 +1426,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode, | ||
| 35 | last = IFIRST(header); | ||
| 36 | /* Find the entry best suited to be pushed into EA block */ | ||
| 37 | for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { | ||
| 38 | + /* never move system.data out of the inode */ | ||
| 39 | + if ((last->e_name_len == 4) && | ||
| 40 | + (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && | ||
| 41 | + !memcmp(last->e_name, "data", 4)) | ||
| 42 | + continue; | ||
| 43 | total_size = | ||
| 44 | EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) + | ||
| 45 | EXT4_XATTR_LEN(last->e_name_len); | ||
| 46 | -- | ||
| 47 | 2.20.1 | ||
| 48 | |||