From f78c3b34345f0a849f5a6f410cb492917531b838 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 25 Apr 2018 21:22:21 +0100 Subject: [PATCH] xfs: enhance dinode verifier (CVE-2018-10322) --- debian/changelog | 1 + .../all/xfs-enhance-dinode-verifier.patch | 68 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 70 insertions(+) create mode 100644 debian/patches/bugfix/all/xfs-enhance-dinode-verifier.patch diff --git a/debian/changelog b/debian/changelog index b5c14ea4a..2197768c6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -20,6 +20,7 @@ linux (4.16.4-1) UNRELEASED; urgency=medium * debian/lib/python/debian_linux/debian.py: Fix binNMU revision parsing * Revert "ext4: add validity checks for bitmap block numbers", which caused a regression + * xfs: enhance dinode verifier (CVE-2018-10322) [ Vagrant Cascadian ] * [arm64] Add patches to support SATA on Tegra210/Jetson-TX1. diff --git a/debian/patches/bugfix/all/xfs-enhance-dinode-verifier.patch b/debian/patches/bugfix/all/xfs-enhance-dinode-verifier.patch new file mode 100644 index 000000000..7a860f4be --- /dev/null +++ b/debian/patches/bugfix/all/xfs-enhance-dinode-verifier.patch @@ -0,0 +1,68 @@ +From: Eric Sandeen +Date: Mon, 16 Apr 2018 23:06:53 -0700 +Subject: xfs: enhance dinode verifier +Origin: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit?id=b42db0860e13067fcc7cbfba3966c9e652668bbc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10322 + +Add several more validations to xfs_dinode_verify: + +- For LOCAL data fork formats, di_nextents must be 0. +- For LOCAL attr fork formats, di_anextents must be 0. +- For inodes with no attr fork offset, + - format must be XFS_DINODE_FMT_EXTENTS if set at all + - di_anextents must be 0. + +Thanks to dchinner for pointing out a couple related checks I had +forgotten to add. + +Signed-off-by: Eric Sandeen +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199377 +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +--- + fs/xfs/libxfs/xfs_inode_buf.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/xfs/libxfs/xfs_inode_buf.c ++++ b/fs/xfs/libxfs/xfs_inode_buf.c +@@ -458,6 +458,8 @@ xfs_dinode_verify( + return __this_address; + if (di_size > XFS_DFORK_DSIZE(dip, mp)) + return __this_address; ++ if (dip->di_nextents) ++ return __this_address; + /* fall through */ + case XFS_DINODE_FMT_EXTENTS: + case XFS_DINODE_FMT_BTREE: +@@ -476,12 +478,31 @@ xfs_dinode_verify( + if (XFS_DFORK_Q(dip)) { + switch (dip->di_aformat) { + case XFS_DINODE_FMT_LOCAL: ++ if (dip->di_anextents) ++ return __this_address; ++ /* fall through */ + case XFS_DINODE_FMT_EXTENTS: + case XFS_DINODE_FMT_BTREE: + break; + default: + return __this_address; + } ++ } else { ++ /* ++ * If there is no fork offset, this may be a freshly-made inode ++ * in a new disk cluster, in which case di_aformat is zeroed. ++ * Otherwise, such an inode must be in EXTENTS format; this goes ++ * for freed inodes as well. ++ */ ++ switch (dip->di_aformat) { ++ case 0: ++ case XFS_DINODE_FMT_EXTENTS: ++ break; ++ default: ++ return __this_address; ++ } ++ if (dip->di_anextents) ++ return __this_address; + } + + /* only version 3 or greater inodes are extensively verified here */ diff --git a/debian/patches/series b/debian/patches/series index 27f88c389..0cb520984 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -139,6 +139,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/xfs-enhance-dinode-verifier.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch