35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
From: Theodore Ts'o <tytso@mit.edu>
|
|
Date: Sat, 16 Jun 2018 15:40:48 -0400
|
|
Subject: ext4: never move the system.data xattr out of the inode body
|
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=896003d9fd652666080a06411d4238ee6eb4fb76
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10880
|
|
|
|
When expanding the extra isize space, we must never move the
|
|
system.data xattr out of the inode body. For performance reasons, it
|
|
doesn't make any sense, and the inline data implementation assumes
|
|
that system.data xattr is never in the external xattr block.
|
|
|
|
This addresses CVE-2018-10880
|
|
|
|
https://bugzilla.kernel.org/show_bug.cgi?id=200005
|
|
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
---
|
|
fs/ext4/xattr.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
--- a/fs/ext4/xattr.c
|
|
+++ b/fs/ext4/xattr.c
|
|
@@ -2657,6 +2657,11 @@ static int ext4_xattr_make_inode_space(h
|
|
last = IFIRST(header);
|
|
/* Find the entry best suited to be pushed into EA block */
|
|
for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
|
|
+ /* never move system.data out of the inode */
|
|
+ if ((last->e_name_len == 4) &&
|
|
+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
|
|
+ !memcmp(last->e_name, "data", 4))
|
|
+ continue;
|
|
total_size = EXT4_XATTR_LEN(last->e_name_len);
|
|
if (!last->e_value_inum)
|
|
total_size += EXT4_XATTR_SIZE(
|