1 files changed, 54 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch b/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch
new file mode 100644
index 0000000..49a8664
--- /dev/null
+++ b/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch
@@ -0,0 +1,54 @@
+From e81d371dac30019816a1c5a3a2c4c44bb3c68558 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 22 May 2018 16:15:24 -0400
+Subject: [PATCH] ext4: do not allow external inodes for inline data
+commit 117166efb1ee8f13c38f9e96b258f16d4923f888 upstream.
+The inline data feature was implemented before we added support for
+external inodes for xattrs.  It makes no sense to support that
+combination, but the problem is that there are a number of extended
+attribute checks that are skipped if e_value_inum is non-zero.
+Unfortunately, the inline data code is completely e_value_inum
+unaware, and attempts to interpret the xattr fields as if it were an
+inline xattr --- at which point, Hilarty Ensues.
+This addresses CVE-2018-11412.
+https://bugzilla.kernel.org/show_bug.cgi?id=199803
+CVE: CVE-2018-11412
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=e81d371dac30019816a1c5a3a2c4c44bb3c68558]
+Reported-by: Jann Horn <jannh@google.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/inline.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index fd9501977f1c..8f5dc243effd 100644
+--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
+@@ -150,6 +150,12 @@ int ext4_find_inline_data_nolock(struct inode *inode)
+                goto out;
+ 
+        if (!is.s.not_found) {
+               if (is.s.here->e_value_inum) {
+                       EXT4_ERROR_INODE(inode, "inline data xattr refers "
+                                        "to an external xattr inode");
+                       error = -EFSCORRUPTED;
+                       goto out;
+               }
+                EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
+                                        (void *)ext4_raw_inode(&is.iloc));
+                EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch b/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch new file mode 100644 index 0000000..49a8664 --- /dev/null +++ b/patches/cve/CVE-2018-11412-ext4-do-not-allow-external-inodes-for-inline-data.patch
@@ -0,0 +1,54 @@
	1	From e81d371dac30019816a1c5a3a2c4c44bb3c68558 Mon Sep 17 00:00:00 2001
	2	From: Theodore Ts'o <tytso@mit.edu>
	3	Date: Tue, 22 May 2018 16:15:24 -0400
	4	Subject: [PATCH] ext4: do not allow external inodes for inline data
	5
	6	commit 117166efb1ee8f13c38f9e96b258f16d4923f888 upstream.
	7
	8	The inline data feature was implemented before we added support for
	9	external inodes for xattrs. It makes no sense to support that
	10	combination, but the problem is that there are a number of extended
	11	attribute checks that are skipped if e_value_inum is non-zero.
	12
	13	Unfortunately, the inline data code is completely e_value_inum
	14	unaware, and attempts to interpret the xattr fields as if it were an
	15	inline xattr --- at which point, Hilarty Ensues.
	16
	17	This addresses CVE-2018-11412.
	18
	19	https://bugzilla.kernel.org/show_bug.cgi?id=199803
	20
	21	CVE: CVE-2018-11412
	22	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=e81d371dac30019816a1c5a3a2c4c44bb3c68558]
	23
	24	Reported-by: Jann Horn <jannh@google.com>
	25	Reviewed-by: Andreas Dilger <adilger@dilger.ca>
	26	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	27	Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
	28	Cc: stable@kernel.org
	29	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	30	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	31	---
	32	fs/ext4/inline.c \| 6 ++++++
	33	1 file changed, 6 insertions(+)
	34
	35	diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
	36	index fd9501977f1c..8f5dc243effd 100644
	37	--- a/fs/ext4/inline.c
	38	+++ b/fs/ext4/inline.c
	39	@@ -150,6 +150,12 @@ int ext4_find_inline_data_nolock(struct inode *inode)
	40	goto out;
	41
	42	if (!is.s.not_found) {
	43	+ if (is.s.here->e_value_inum) {
	44	+ EXT4_ERROR_INODE(inode, "inline data xattr refers "
	45	+ "to an external xattr inode");
	46	+ error = -EFSCORRUPTED;
	47	+ goto out;
	48	+ }
	49	EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
	50	(void *)ext4_raw_inode(&is.iloc));
	51	EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
	52	--
	53	2.20.1
	54