1 files changed, 46 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
new file mode 100644
index 0000000..80a40d0
--- /dev/null
+++ b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,46 @@
+From 8a9ef17c0dc93def47e17b227ada95c682592a1d Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 15:40:48 -0400
+Subject: [PATCH] ext4: never move the system.data xattr out of the inode body
+commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
+When expanding the extra isize space, we must never move the
+system.data xattr out of the inode body.  For performance reasons, it
+doesn't make any sense, and the inline data implementation assumes
+that system.data xattr is never in the external xattr block.
+This addresses CVE-2018-10880
+https://bugzilla.kernel.org/show_bug.cgi?id=200005
+CVE: CVE-2018-10880
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=8a9ef17c0dc93def47e17b227ada95c682592a1d]
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/xattr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index 871278eac8ba..e2fa3adb4b7b 100644
+--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
+@@ -2656,6 +2656,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode,
+                last = IFIRST(header);
+                /* Find the entry best suited to be pushed into EA block */
+                for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
+                       /* never move system.data out of the inode */
+                       if ((last->e_name_len == 4) &&
+                           (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
+                           !memcmp(last->e_name, "data", 4))
+                               continue;
+                        total_size = EXT4_XATTR_LEN(last->e_name_len);
+                        if (!last->e_value_inum)
+                                total_size += EXT4_XATTR_SIZE(
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch new file mode 100644 index 0000000..80a40d0 --- /dev/null +++ b/patches/cve/CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,46 @@
	1	From 8a9ef17c0dc93def47e17b227ada95c682592a1d Mon Sep 17 00:00:00 2001
	2	From: Theodore Ts'o <tytso@mit.edu>
	3	Date: Sat, 16 Jun 2018 15:40:48 -0400
	4	Subject: [PATCH] ext4: never move the system.data xattr out of the inode body
	5
	6	commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
	7
	8	When expanding the extra isize space, we must never move the
	9	system.data xattr out of the inode body. For performance reasons, it
	10	doesn't make any sense, and the inline data implementation assumes
	11	that system.data xattr is never in the external xattr block.
	12
	13	This addresses CVE-2018-10880
	14
	15	https://bugzilla.kernel.org/show_bug.cgi?id=200005
	16
	17	CVE: CVE-2018-10880
	18	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=8a9ef17c0dc93def47e17b227ada95c682592a1d]
	19
	20	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	21	Cc: stable@kernel.org
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	24	---
	25	fs/ext4/xattr.c \| 5 +++++
	26	1 file changed, 5 insertions(+)
	27
	28	diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
	29	index 871278eac8ba..e2fa3adb4b7b 100644
	30	--- a/fs/ext4/xattr.c
	31	+++ b/fs/ext4/xattr.c
	32	@@ -2656,6 +2656,11 @@ static int ext4_xattr_make_inode_space(handle_t handle, struct inode inode,
	33	last = IFIRST(header);
	34	/* Find the entry best suited to be pushed into EA block */
	35	for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
	36	+ /* never move system.data out of the inode */
	37	+ if ((last->e_name_len == 4) &&
	38	+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
	39	+ !memcmp(last->e_name, "data", 4))
	40	+ continue;
	41	total_size = EXT4_XATTR_LEN(last->e_name_len);
	42	if (!last->e_value_inum)
	43	total_size += EXT4_XATTR_SIZE(
	44	--
	45	2.20.1
	46