| Message ID | 1542677470-16021-2-git-send-email-tyhicks@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2018-18690 - Denial of service in XFS | expand |
On 20.11.18 02:31, Tyler Hicks wrote: > From: "Darrick J. Wong" <darrick.wong@oracle.com> > > Kanda Motohiro reported that expanding a tiny xattr into a large xattr > fails on XFS because we remove the tiny xattr from a shortform fork and > then try to re-add it after converting the fork to extents format having > not removed the ATTR_REPLACE flag. This fails because the attr is no > longer present, causing a fs shutdown. > > This is derived from the patch in his bug report, but we really > shouldn't ignore a nonzero retval from the remove call. > > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119 > Reported-by: kanda.motohiro@gmail.com > Reviewed-by: Dave Chinner <dchinner@redhat.com> > Reviewed-by: Christoph Hellwig <hch@lst.de> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > > CVE-2018-18690 > > (cherry picked from commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/xfs/libxfs/xfs_attr.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c > index a76914db72ef..e4265db08e4b 100644 > --- a/fs/xfs/libxfs/xfs_attr.c > +++ b/fs/xfs/libxfs/xfs_attr.c > @@ -511,7 +511,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args) > if (args->flags & ATTR_CREATE) > return retval; > retval = xfs_attr_shortform_remove(args); > - ASSERT(retval == 0); > + if (retval) > + return retval; > + /* > + * Since we have removed the old attr, clear ATTR_REPLACE so > + * that the leaf format add routine won't trip over the attr > + * not being around. > + */ > + args->flags &= ~ATTR_REPLACE; > } > > if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX || >
On 2018-11-20 01:31:10 , Tyler Hicks wrote: > From: "Darrick J. Wong" <darrick.wong@oracle.com> > > Kanda Motohiro reported that expanding a tiny xattr into a large xattr > fails on XFS because we remove the tiny xattr from a shortform fork and > then try to re-add it after converting the fork to extents format having > not removed the ATTR_REPLACE flag. This fails because the attr is no > longer present, causing a fs shutdown. > > This is derived from the patch in his bug report, but we really > shouldn't ignore a nonzero retval from the remove call. > > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119 > Reported-by: kanda.motohiro@gmail.com > Reviewed-by: Dave Chinner <dchinner@redhat.com> > Reviewed-by: Christoph Hellwig <hch@lst.de> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > > CVE-2018-18690 > > (cherry picked from commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > --- > fs/xfs/libxfs/xfs_attr.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c > index a76914db72ef..e4265db08e4b 100644 > --- a/fs/xfs/libxfs/xfs_attr.c > +++ b/fs/xfs/libxfs/xfs_attr.c > @@ -511,7 +511,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args) > if (args->flags & ATTR_CREATE) > return retval; > retval = xfs_attr_shortform_remove(args); > - ASSERT(retval == 0); > + if (retval) > + return retval; > + /* > + * Since we have removed the old attr, clear ATTR_REPLACE so > + * that the leaf format add routine won't trip over the attr > + * not being around. > + */ > + args->flags &= ~ATTR_REPLACE; > } > > if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX || Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c index a76914db72ef..e4265db08e4b 100644 --- a/fs/xfs/libxfs/xfs_attr.c +++ b/fs/xfs/libxfs/xfs_attr.c @@ -511,7 +511,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args) if (args->flags & ATTR_CREATE) return retval; retval = xfs_attr_shortform_remove(args); - ASSERT(retval == 0); + if (retval) + return retval; + /* + * Since we have removed the old attr, clear ATTR_REPLACE so + * that the leaf format add routine won't trip over the attr + * not being around. + */ + args->flags &= ~ATTR_REPLACE; } if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX ||