[SRU,T,1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Message ID 20180706053329.23440-3-khalid.elmously@canonical.com
State New
Headers show
Series
  • Fix for CVE-2018-10323
Related show

Commit Message

Khaled Elmously July 6, 2018, 5:33 a.m.
From: Eric Sandeen <sandeen@redhat.com>

CVE-2018-10323

If xfs_bmap_extents_to_btree fails in a mode where we call
xfs_iroot_realloc(-1) to de-allocate the root, set the
format back to extents.

Otherwise we can assume we can dereference ifp->if_broot
based on the XFS_DINODE_FMT_BTREE format, and crash.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
(backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 fs/xfs/xfs_bmap.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Kleber Souza July 26, 2018, 4:16 p.m. | #1
On 07/06/18 07:33, Khalid Elmously wrote:
> From: Eric Sandeen <sandeen@redhat.com>
> 
> CVE-2018-10323
> 
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
> 
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
> 
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> (backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>  fs/xfs/xfs_bmap.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
> index 6beb7a93a0e9..41013924bdcd 100644
> --- a/fs/xfs/xfs_bmap.c
> +++ b/fs/xfs/xfs_bmap.c
> @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
>  	*logflagsp = 0;
>  	if ((error = xfs_alloc_vextent(&args))) {
>  		xfs_iroot_realloc(ip, -1, whichfork);
> +		ASSERT(ifp->if_broot == NULL);
> +		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>  		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>  		return error;
>  	}
> 

The backport looks correct.

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Kleber Souza July 27, 2018, 1:04 p.m. | #2
On 07/06/18 07:33, Khalid Elmously wrote:
> From: Eric Sandeen <sandeen@redhat.com>
> 
> CVE-2018-10323
> 
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
> 
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
> 
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> (backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>  fs/xfs/xfs_bmap.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
> index 6beb7a93a0e9..41013924bdcd 100644
> --- a/fs/xfs/xfs_bmap.c
> +++ b/fs/xfs/xfs_bmap.c
> @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
>  	*logflagsp = 0;
>  	if ((error = xfs_alloc_vextent(&args))) {
>  		xfs_iroot_realloc(ip, -1, whichfork);
> +		ASSERT(ifp->if_broot == NULL);
> +		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>  		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>  		return error;
>  	}
> 

Applied to trusty/master-next branch.

Thanks,
Kleber

Patch

diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
index 6beb7a93a0e9..41013924bdcd 100644
--- a/fs/xfs/xfs_bmap.c
+++ b/fs/xfs/xfs_bmap.c
@@ -823,6 +823,8 @@  xfs_bmap_extents_to_btree(
 	*logflagsp = 0;
 	if ((error = xfs_alloc_vextent(&args))) {
 		xfs_iroot_realloc(ip, -1, whichfork);
+		ASSERT(ifp->if_broot == NULL);
+		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
 		return error;
 	}