1 files changed, 66 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
new file mode 100644
index 0000000..f478f61
--- /dev/null
+++ b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
@@ -0,0 +1,66 @@
+From ac48bb9bc0a32f5a4432be1645b57607f8c46aa7 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 23:00:48 -0400
+Subject: [PATCH] ext4: always check block group bounds in
+ ext4_init_block_bitmap()
+commit 819b23f1c501b17b9694325471789e6b5cc2d0d2 upstream.
+Regardless of whether the flex_bg feature is set, we should always
+check to make sure the bits we are setting in the block bitmap are
+within the block group bounds.
+https://bugzilla.kernel.org/show_bug.cgi?id=199865
+CVE: CVE-2018-10878
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=ac48bb9bc0a32f5a4432be1645b57607f8c46aa7]
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/balloc.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index 58db8109defa..3149aee77b6b 100644
+--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
+@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
+        unsigned int bit, bit_max;
+        struct ext4_sb_info *sbi = EXT4_SB(sb);
+        ext4_fsblk_t start, tmp;
+-       int flex_bg = 0;
+        struct ext4_group_info *grp;
+ 
+        J_ASSERT_BH(bh, buffer_locked(bh));
+@@ -217,22 +216,19 @@ static int ext4_init_block_bitmap(struct super_block *sb,
+ 
+        start = ext4_group_first_block_no(sb, block_group);
+ 
+-       if (ext4_has_feature_flex_bg(sb))
+-               flex_bg = 1;
+-
+        /* Set bits for block and inode bitmaps, and inode table */
+        tmp = ext4_block_bitmap(sb, gdp);
+-       if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+       if (ext4_block_in_group(sb, tmp, block_group))
+                ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
+ 
+        tmp = ext4_inode_bitmap(sb, gdp);
+-       if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+       if (ext4_block_in_group(sb, tmp, block_group))
+                ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
+ 
+        tmp = ext4_inode_table(sb, gdp);
+        for (; tmp < ext4_inode_table(sb, gdp) +
+                     sbi->s_itb_per_group; tmp++) {
+-               if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+               if (ext4_block_in_group(sb, tmp, block_group))
+                        ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
+        }
+ 
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch new file mode 100644 index 0000000..f478f61 --- /dev/null +++ b/patches/cve/CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
@@ -0,0 +1,66 @@
	1	From ac48bb9bc0a32f5a4432be1645b57607f8c46aa7 Mon Sep 17 00:00:00 2001
	2	From: Theodore Ts'o <tytso@mit.edu>
	3	Date: Wed, 13 Jun 2018 23:00:48 -0400
	4	Subject: [PATCH] ext4: always check block group bounds in
	5	ext4_init_block_bitmap()
	6
	7	commit 819b23f1c501b17b9694325471789e6b5cc2d0d2 upstream.
	8
	9	Regardless of whether the flex_bg feature is set, we should always
	10	check to make sure the bits we are setting in the block bitmap are
	11	within the block group bounds.
	12
	13	https://bugzilla.kernel.org/show_bug.cgi?id=199865
	14
	15	CVE: CVE-2018-10878
	16	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=ac48bb9bc0a32f5a4432be1645b57607f8c46aa7]
	17
	18	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	19	Cc: stable@kernel.org
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	22	---
	23	fs/ext4/balloc.c \| 10 +++-------
	24	1 file changed, 3 insertions(+), 7 deletions(-)
	25
	26	diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
	27	index 58db8109defa..3149aee77b6b 100644
	28	--- a/fs/ext4/balloc.c
	29	+++ b/fs/ext4/balloc.c
	30	@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
	31	unsigned int bit, bit_max;
	32	struct ext4_sb_info *sbi = EXT4_SB(sb);
	33	ext4_fsblk_t start, tmp;
	34	- int flex_bg = 0;
	35	struct ext4_group_info *grp;
	36
	37	J_ASSERT_BH(bh, buffer_locked(bh));
	38	@@ -217,22 +216,19 @@ static int ext4_init_block_bitmap(struct super_block *sb,
	39
	40	start = ext4_group_first_block_no(sb, block_group);
	41
	42	- if (ext4_has_feature_flex_bg(sb))
	43	- flex_bg = 1;
	44	-
	45	/* Set bits for block and inode bitmaps, and inode table */
	46	tmp = ext4_block_bitmap(sb, gdp);
	47	- if (!flex_bg \|\| ext4_block_in_group(sb, tmp, block_group))
	48	+ if (ext4_block_in_group(sb, tmp, block_group))
	49	ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
	50
	51	tmp = ext4_inode_bitmap(sb, gdp);
	52	- if (!flex_bg \|\| ext4_block_in_group(sb, tmp, block_group))
	53	+ if (ext4_block_in_group(sb, tmp, block_group))
	54	ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
	55
	56	tmp = ext4_inode_table(sb, gdp);
	57	for (; tmp < ext4_inode_table(sb, gdp) +
	58	sbi->s_itb_per_group; tmp++) {
	59	- if (!flex_bg \|\| ext4_block_in_group(sb, tmp, block_group))
	60	+ if (ext4_block_in_group(sb, tmp, block_group))
	61	ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
	62	}
	63
	64	--
	65	2.20.1
	66