Message ID | 20180706053329.23440-3-khalid.elmously@canonical.com |
---|---|
State | New |
Headers | show |
Series | Fix for CVE-2018-10323 | expand |
On 07/06/18 07:33, Khalid Elmously wrote: > From: Eric Sandeen <sandeen@redhat.com> > > CVE-2018-10323 > > If xfs_bmap_extents_to_btree fails in a mode where we call > xfs_iroot_realloc(-1) to de-allocate the root, set the > format back to extents. > > Otherwise we can assume we can dereference ifp->if_broot > based on the XFS_DINODE_FMT_BTREE format, and crash. > > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423 > Signed-off-by: Eric Sandeen <sandeen@redhat.com> > Reviewed-by: Christoph Hellwig <hch@lst.de> > Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > (backported from 2c4306f719b083d17df2963bc761777576b8ad1b) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > fs/xfs/xfs_bmap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c > index 6beb7a93a0e9..41013924bdcd 100644 > --- a/fs/xfs/xfs_bmap.c > +++ b/fs/xfs/xfs_bmap.c > @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree( > *logflagsp = 0; > if ((error = xfs_alloc_vextent(&args))) { > xfs_iroot_realloc(ip, -1, whichfork); > + ASSERT(ifp->if_broot == NULL); > + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS); > xfs_btree_del_cursor(cur, XFS_BTREE_ERROR); > return error; > } > The backport looks correct. Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
On 07/06/18 07:33, Khalid Elmously wrote: > From: Eric Sandeen <sandeen@redhat.com> > > CVE-2018-10323 > > If xfs_bmap_extents_to_btree fails in a mode where we call > xfs_iroot_realloc(-1) to de-allocate the root, set the > format back to extents. > > Otherwise we can assume we can dereference ifp->if_broot > based on the XFS_DINODE_FMT_BTREE format, and crash. > > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423 > Signed-off-by: Eric Sandeen <sandeen@redhat.com> > Reviewed-by: Christoph Hellwig <hch@lst.de> > Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > (backported from 2c4306f719b083d17df2963bc761777576b8ad1b) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > fs/xfs/xfs_bmap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c > index 6beb7a93a0e9..41013924bdcd 100644 > --- a/fs/xfs/xfs_bmap.c > +++ b/fs/xfs/xfs_bmap.c > @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree( > *logflagsp = 0; > if ((error = xfs_alloc_vextent(&args))) { > xfs_iroot_realloc(ip, -1, whichfork); > + ASSERT(ifp->if_broot == NULL); > + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS); > xfs_btree_del_cursor(cur, XFS_BTREE_ERROR); > return error; > } > Applied to trusty/master-next branch. Thanks, Kleber
diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c index 6beb7a93a0e9..41013924bdcd 100644 --- a/fs/xfs/xfs_bmap.c +++ b/fs/xfs/xfs_bmap.c @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree( *logflagsp = 0; if ((error = xfs_alloc_vextent(&args))) { xfs_iroot_realloc(ip, -1, whichfork); + ASSERT(ifp->if_broot == NULL); + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS); xfs_btree_del_cursor(cur, XFS_BTREE_ERROR); return error; }