ext4: correctly handle a zero-length xattr with a non-zero e_value_offs (CVE-2018-10840)
This commit is contained in:
parent
43505297af
commit
5e4f042d2f
|
@ -12,6 +12,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium
|
|||
* Set ABI to 1
|
||||
* [x86,arm64] Disable code signing for upload to unstable
|
||||
* vhost: fix info leak due to uninitialized memory (CVE-2018-1118)
|
||||
* ext4: correctly handle a zero-length xattr with a non-zero e_value_offs
|
||||
(CVE-2018-10840)
|
||||
|
||||
[ Romain Perier ]
|
||||
* [x86] Enable DCN 1.0 Raven family (Closes #901349)
|
||||
|
|
65
debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
vendored
Normal file
65
debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
vendored
Normal file
|
@ -0,0 +1,65 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Wed, 23 May 2018 11:31:03 -0400
|
||||
Subject: ext4: correctly handle a zero-length xattr with a non-zero
|
||||
e_value_offs
|
||||
Origin: https://git.kernel.org/linus/8a2b307c21d4b290e3cbe33f768f194286d07c23
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10840
|
||||
|
||||
Ext4 will always create ext4 extended attributes which do not have a
|
||||
value (where e_value_size is zero) with e_value_offs set to zero. In
|
||||
most places e_value_offs will not be used in a substantive way if
|
||||
e_value_size is zero.
|
||||
|
||||
There was one exception to this, which is in ext4_xattr_set_entry(),
|
||||
where if there is a maliciously crafted file system where there is an
|
||||
extended attribute with e_value_offs is non-zero and e_value_size is
|
||||
0, the attempt to remove this xattr will result in a negative value
|
||||
getting passed to memmove, leading to the following sadness:
|
||||
|
||||
[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
|
||||
[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000
|
||||
[ 44.538733] IP: __memmove+0x81/0x1a0
|
||||
[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1
|
||||
[ 44.538793] Oops: 0003 [#1] SMP PTI
|
||||
[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1
|
||||
...
|
||||
[ 44.539475] Call Trace:
|
||||
[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80
|
||||
...
|
||||
[ 44.539972] ext4_xattr_block_set+0x212/0xea0
|
||||
...
|
||||
[ 44.540041] ext4_xattr_set_handle+0x514/0x610
|
||||
[ 44.540065] ext4_xattr_set+0x7f/0x120
|
||||
[ 44.540090] __vfs_removexattr+0x4d/0x60
|
||||
[ 44.540112] vfs_removexattr+0x75/0xe0
|
||||
[ 44.540132] removexattr+0x4d/0x80
|
||||
...
|
||||
[ 44.540279] path_removexattr+0x91/0xb0
|
||||
[ 44.540300] SyS_removexattr+0xf/0x20
|
||||
[ 44.540322] do_syscall_64+0x71/0x120
|
||||
[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=199347
|
||||
|
||||
This addresses CVE-2018-10840.
|
||||
|
||||
Reported-by: "Xu, Wen" <wen.xu@gatech.edu>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
|
||||
Cc: stable@kernel.org
|
||||
Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication")
|
||||
---
|
||||
fs/ext4/xattr.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/fs/ext4/xattr.c
|
||||
+++ b/fs/ext4/xattr.c
|
||||
@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct e
|
||||
|
||||
/* No failures allowed past this point. */
|
||||
|
||||
- if (!s->not_found && here->e_value_offs) {
|
||||
+ if (!s->not_found && here->e_value_size && here->e_value_offs) {
|
||||
/* Remove the old value. */
|
||||
void *first_val = s->base + min_offs;
|
||||
size_t offs = le16_to_cpu(here->e_value_offs);
|
|
@ -126,6 +126,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch
|
||||
bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue