From fcd9aedd7bace7481289edecdf7cc1a9c74e2924 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 22 May 2019 09:50:32 +0200 Subject: ext4: CVE-2018-10840 ext4: correctly handle a zero-length xattr with a non-zero e_value_offs Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10840 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=21542545990c5aba4b919ac0f8c8ae6a408b49d4 Change-Id: I674565e08afe9331e553847a3d22ad2dda86be57 Signed-off-by: Andreas Wellving --- ...tly-handle-a-zero-length-xattr-with-a-non.patch | 76 ++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 patches/cve/CVE-2018-10840-ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch diff --git a/patches/cve/CVE-2018-10840-ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch b/patches/cve/CVE-2018-10840-ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch new file mode 100644 index 0000000..8a11f48 --- /dev/null +++ b/patches/cve/CVE-2018-10840-ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch @@ -0,0 +1,76 @@ +From 21542545990c5aba4b919ac0f8c8ae6a408b49d4 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 23 May 2018 11:31:03 -0400 +Subject: [PATCH] ext4: correctly handle a zero-length xattr with a non-zero + e_value_offs + +commit 8a2b307c21d4b290e3cbe33f768f194286d07c23 upstream. + +Ext4 will always create ext4 extended attributes which do not have a +value (where e_value_size is zero) with e_value_offs set to zero. In +most places e_value_offs will not be used in a substantive way if +e_value_size is zero. + +There was one exception to this, which is in ext4_xattr_set_entry(), +where if there is a maliciously crafted file system where there is an +extended attribute with e_value_offs is non-zero and e_value_size is +0, the attempt to remove this xattr will result in a negative value +getting passed to memmove, leading to the following sadness: + +[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) +[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000 +[ 44.538733] IP: __memmove+0x81/0x1a0 +[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1 +[ 44.538793] Oops: 0003 [#1] SMP PTI +[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1 + ... +[ 44.539475] Call Trace: +[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80 + ... +[ 44.539972] ext4_xattr_block_set+0x212/0xea0 + ... +[ 44.540041] ext4_xattr_set_handle+0x514/0x610 +[ 44.540065] ext4_xattr_set+0x7f/0x120 +[ 44.540090] __vfs_removexattr+0x4d/0x60 +[ 44.540112] vfs_removexattr+0x75/0xe0 +[ 44.540132] removexattr+0x4d/0x80 + ... +[ 44.540279] path_removexattr+0x91/0xb0 +[ 44.540300] SyS_removexattr+0xf/0x20 +[ 44.540322] do_syscall_64+0x71/0x120 +[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86 + +https://bugzilla.kernel.org/show_bug.cgi?id=199347 + +This addresses CVE-2018-10840. + +CVE: CVE-2018-10840 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=21542545990c5aba4b919ac0f8c8ae6a408b49d4] + +Reported-by: "Xu, Wen" +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + fs/ext4/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 1718354e6322..ed1cf24a7831 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1687,7 +1687,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + + /* No failures allowed past this point. */ + +- if (!s->not_found && here->e_value_offs) { ++ if (!s->not_found && here->e_value_size && here->e_value_offs) { + /* Remove the old value. */ + void *first_val = s->base + min_offs; + size_t offs = le16_to_cpu(here->e_value_offs); +-- +2.20.1 + -- cgit v1.2.3-54-g00ecf