From: Greg Hackmann <ghackmann@android.com>
To: stable@vger.kernel.org
Cc: Theodore Ts'o <tytso@mit.edu>,
Ben Hutchings <ben@decadent.org.uk>,
Greg Hackmann <ghackmann@google.com>
Subject: [PATCH 3.18.y 07/10] ext4: never move the system.data xattr out of the inode body
Date: Thu, 4 Oct 2018 10:53:17 -0700 [thread overview]
Message-ID: <20181004175320.181881-8-ghackmann@google.com> (raw)
In-Reply-To: <20181004175320.181881-1-ghackmann@google.com>
From: Theodore Ts'o <tytso@mit.edu>
commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
When expanding the extra isize space, we must never move the
system.data xattr out of the inode body. For performance reasons, it
doesn't make any sense, and the inline data implementation assumes
that system.data xattr is never in the external xattr block.
This addresses CVE-2018-10880
https://bugzilla.kernel.org/show_bug.cgi?id=200005
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
---
fs/ext4/xattr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index bb4faf2d0c5c..5f67ef828ccd 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1391,6 +1391,11 @@ retry:
/* Find the entry best suited to be pushed into EA block */
entry = NULL;
for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
+ /* never move system.data out of the inode */
+ if ((last->e_name_len == 4) &&
+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
+ !memcmp(last->e_name, "data", 4))
+ continue;
total_size =
EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) +
EXT4_XATTR_LEN(last->e_name_len);
--
2.19.0.605.g01d371f741-goog
next prev parent reply other threads:[~2018-10-05 0:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-04 17:53 [PATCH 3.18.y 00/10] recent ext4 CVE fixes Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 01/10] ext4: only look at the bg_flags field if it is valid Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 02/10] ext4: fix check to prevent initializing reserved inodes Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 03/10] ext4: always check block group bounds in ext4_init_block_bitmap() Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 04/10] ext4: fix false negatives *and* false positives in ext4_check_descriptors() Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 05/10] ext4: add corruption check in ext4_xattr_set_entry() Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 06/10] ext4: always verify the magic number in xattr blocks Greg Hackmann
2018-10-04 17:53 ` Greg Hackmann [this message]
2018-10-04 17:53 ` [PATCH 3.18.y 08/10] ext4: add more inode number paranoia checks Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 09/10] jbd2: don't mark block as modified if the handle is out of credits Greg Hackmann
2018-10-04 17:53 ` [PATCH 3.18.y 10/10] ext4: avoid running out of journal credits when appending to an inline file Greg Hackmann
2018-10-11 9:17 ` [PATCH 3.18.y 00/10] recent ext4 CVE fixes Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181004175320.181881-8-ghackmann@google.com \
--to=ghackmann@android.com \
--cc=ben@decadent.org.uk \
--cc=ghackmann@google.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).