From 8d25e929eabad84e7e05366d2c18c58030875fdf Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Jun 2018 23:59:59 +0100 Subject: [PATCH] ext4: do not allow external inodes for inline data (CVE-2018-11412) Plus the related fix "ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()". --- debian/changelog | 2 + ...rs-from-ext4_find_inline_data_nolock.patch | 61 +++++++++++++++++++ ...llow-external-inodes-for-inline-data.patch | 43 +++++++++++++ debian/patches/series | 2 + 4 files changed, 108 insertions(+) create mode 100644 debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch create mode 100644 debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch diff --git a/debian/changelog b/debian/changelog index 02e15c2b4..cf9b597da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * vhost: fix info leak due to uninitialized memory (CVE-2018-1118) * ext4: correctly handle a zero-length xattr with a non-zero e_value_offs (CVE-2018-10840) + * ext4: do not allow external inodes for inline data (CVE-2018-11412) + * ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch b/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch new file mode 100644 index 000000000..33dbe382e --- /dev/null +++ b/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch @@ -0,0 +1,61 @@ +From: Theodore Ts'o +Date: Tue, 22 May 2018 17:14:07 -0400 +Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to + ext4_iget() +Origin: https://git.kernel.org/linus/eb9b5f01c33adebc31cbc236c02695f605b0e417 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 + +If ext4_find_inline_data_nolock() returns an error it needs to get +reflected up to ext4_iget(). In order to fix this, +ext4_iget_extra_inode() needs to return an error (and not return +void). + +This is related to "ext4: do not allow external inodes for inline +data" (which fixes CVE-2018-11412) in that in the errors=continue +case, it would be useful to for userspace to receive an error +indicating that file system is corrupted. + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +--- + fs/ext4/inode.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4701,19 +4701,21 @@ static blkcnt_t ext4_inode_blocks(struct + } + } + +-static inline void ext4_iget_extra_inode(struct inode *inode, ++static inline int ext4_iget_extra_inode(struct inode *inode, + struct ext4_inode *raw_inode, + struct ext4_inode_info *ei) + { + __le32 *magic = (void *)raw_inode + + EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize; ++ + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <= + EXT4_INODE_SIZE(inode->i_sb) && + *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { + ext4_set_inode_state(inode, EXT4_STATE_XATTR); +- ext4_find_inline_data_nolock(inode); ++ return ext4_find_inline_data_nolock(inode); + } else + EXT4_I(inode)->i_inline_off = 0; ++ return 0; + } + + int ext4_get_projid(struct inode *inode, kprojid_t *projid) +@@ -4893,7 +4895,9 @@ struct inode *ext4_iget(struct super_blo + ei->i_extra_isize = sizeof(struct ext4_inode) - + EXT4_GOOD_OLD_INODE_SIZE; + } else { +- ext4_iget_extra_inode(inode, raw_inode, ei); ++ ret = ext4_iget_extra_inode(inode, raw_inode, ei); ++ if (ret) ++ goto bad_inode; + } + } + diff --git a/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch b/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch new file mode 100644 index 000000000..bb65b21b0 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch @@ -0,0 +1,43 @@ +From: Theodore Ts'o +Date: Tue, 22 May 2018 16:15:24 -0400 +Subject: ext4: do not allow external inodes for inline data +Origin: https://git.kernel.org/linus/117166efb1ee8f13c38f9e96b258f16d4923f888 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 + +The inline data feature was implemented before we added support for +external inodes for xattrs. It makes no sense to support that +combination, but the problem is that there are a number of extended +attribute checks that are skipped if e_value_inum is non-zero. + +Unfortunately, the inline data code is completely e_value_inum +unaware, and attempts to interpret the xattr fields as if it were an +inline xattr --- at which point, Hilarty Ensues. + +This addresses CVE-2018-11412. + +https://bugzilla.kernel.org/show_bug.cgi?id=199803 + +Reported-by: Jann Horn +Reviewed-by: Andreas Dilger +Signed-off-by: Theodore Ts'o +Fixes: e50e5129f384 ("ext4: xattr-in-inode support") +Cc: stable@kernel.org +--- + fs/ext4/inline.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct + goto out; + + if (!is.s.not_found) { ++ if (is.s.here->e_value_inum) { ++ EXT4_ERROR_INODE(inode, "inline data xattr refers " ++ "to an external xattr inode"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - + (void *)ext4_raw_inode(&is.iloc)); + EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + diff --git a/debian/patches/series b/debian/patches/series index 41ae67cb2..b3fa76dbc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -127,6 +127,8 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch +bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch +bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch