1 files changed, 51 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch b/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
new file mode 100644
index 0000000..f685d4e
--- /dev/null
+++ b/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
@@ -0,0 +1,51 @@
+From 8e0e94683f8449f4e83b4b563b80eb9c76b9e18f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 29 Mar 2018 21:56:09 -0400
+Subject: [PATCH] ext4: fail ext4_iget for root directory if unallocated
+commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream.
+If the root directory has an i_links_count of zero, then when the file
+system is mounted, then when ext4_fill_super() notices the problem and
+tries to call iput() the root directory in the error return path,
+ext4_evict_inode() will try to free the inode on disk, before all of
+the file system structures are set up, and this will result in an OOPS
+caused by a NULL pointer dereference.
+This issue has been assigned CVE-2018-1092.
+https://bugzilla.kernel.org/show_bug.cgi?id=199179
+https://bugzilla.redhat.com/show_bug.cgi?id=1560777
+CVE: CVE-2018-1092
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=8e0e94683f8449f4e83b4b563b80eb9c76b9e18f]
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 69f017e88e89..09014c3c4207 100644
+--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
+@@ -4685,6 +4685,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
+                goto bad_inode;
+        raw_inode = ext4_raw_inode(&iloc);
+ 
+       if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+               EXT4_ERROR_INODE(inode, "root inode unallocated");
+               ret = -EFSCORRUPTED;
+               goto bad_inode;
+       }
+
+        if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
+                ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
+                if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch b/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch new file mode 100644 index 0000000..f685d4e --- /dev/null +++ b/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
@@ -0,0 +1,51 @@
	1	From 8e0e94683f8449f4e83b4b563b80eb9c76b9e18f Mon Sep 17 00:00:00 2001
	2	From: Theodore Ts'o <tytso@mit.edu>
	3	Date: Thu, 29 Mar 2018 21:56:09 -0400
	4	Subject: [PATCH] ext4: fail ext4_iget for root directory if unallocated
	5
	6	commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream.
	7
	8	If the root directory has an i_links_count of zero, then when the file
	9	system is mounted, then when ext4_fill_super() notices the problem and
	10	tries to call iput() the root directory in the error return path,
	11	ext4_evict_inode() will try to free the inode on disk, before all of
	12	the file system structures are set up, and this will result in an OOPS
	13	caused by a NULL pointer dereference.
	14
	15	This issue has been assigned CVE-2018-1092.
	16
	17	https://bugzilla.kernel.org/show_bug.cgi?id=199179
	18	https://bugzilla.redhat.com/show_bug.cgi?id=1560777
	19
	20	CVE: CVE-2018-1092
	21	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=8e0e94683f8449f4e83b4b563b80eb9c76b9e18f]
	22
	23	Reported-by: Wen Xu <wen.xu@gatech.edu>
	24	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	25	Cc: stable@vger.kernel.org
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	28	---
	29	fs/ext4/inode.c \| 6 ++++++
	30	1 file changed, 6 insertions(+)
	31
	32	diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
	33	index 69f017e88e89..09014c3c4207 100644
	34	--- a/fs/ext4/inode.c
	35	+++ b/fs/ext4/inode.c
	36	@@ -4685,6 +4685,12 @@ struct inode ext4_iget(struct super_block sb, unsigned long ino)
	37	goto bad_inode;
	38	raw_inode = ext4_raw_inode(&iloc);
	39
	40	+ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
	41	+ EXT4_ERROR_INODE(inode, "root inode unallocated");
	42	+ ret = -EFSCORRUPTED;
	43	+ goto bad_inode;
	44	+ }
	45	+
	46	if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
	47	ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
	48	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
	49	--
	50	2.20.1
	51