xfs: set format back to extents if xfs_bmap_extents_to_btree (CVE-2018-10323)
This commit is contained in:
parent
f78c3b3434
commit
019c1fa6f3
|
@ -21,6 +21,8 @@ linux (4.16.4-1) UNRELEASED; urgency=medium
|
|||
* Revert "ext4: add validity checks for bitmap block numbers", which
|
||||
caused a regression
|
||||
* xfs: enhance dinode verifier (CVE-2018-10322)
|
||||
* xfs: set format back to extents if xfs_bmap_extents_to_btree
|
||||
(CVE-2018-10323)
|
||||
|
||||
[ Vagrant Cascadian ]
|
||||
* [arm64] Add patches to support SATA on Tegra210/Jetson-TX1.
|
||||
|
|
43
debian/patches/bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
vendored
Normal file
43
debian/patches/bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
|||
From: Eric Sandeen <sandeen@redhat.com>
|
||||
Date: Mon, 16 Apr 2018 23:07:27 -0700
|
||||
Subject: xfs: set format back to extents if xfs_bmap_extents_to_btree
|
||||
Origin: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit?id=2c4306f719b083d17df2963bc761777576b8ad1b
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10323
|
||||
|
||||
If xfs_bmap_extents_to_btree fails in a mode where we call
|
||||
xfs_iroot_realloc(-1) to de-allocate the root, set the
|
||||
format back to extents.
|
||||
|
||||
Otherwise we can assume we can dereference ifp->if_broot
|
||||
based on the XFS_DINODE_FMT_BTREE format, and crash.
|
||||
|
||||
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
|
||||
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
||||
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
---
|
||||
fs/xfs/libxfs/xfs_bmap.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
|
||||
index 6a7c2f03ea11..040eeda8426f 100644
|
||||
--- a/fs/xfs/libxfs/xfs_bmap.c
|
||||
+++ b/fs/xfs/libxfs/xfs_bmap.c
|
||||
@@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
|
||||
*logflagsp = 0;
|
||||
if ((error = xfs_alloc_vextent(&args))) {
|
||||
xfs_iroot_realloc(ip, -1, whichfork);
|
||||
+ ASSERT(ifp->if_broot == NULL);
|
||||
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
|
||||
xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
|
||||
return error;
|
||||
}
|
||||
|
||||
if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
|
||||
xfs_iroot_realloc(ip, -1, whichfork);
|
||||
+ ASSERT(ifp->if_broot == NULL);
|
||||
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
|
||||
xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
|
||||
return -ENOSPC;
|
||||
}
|
|
@ -140,6 +140,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/xfs-enhance-dinode-verifier.patch
|
||||
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue