From patchwork Thu Jul 26 04:28:33 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 949466 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41bfJ521LGz9s29; Thu, 26 Jul 2018 14:29:25 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1fiXts-0005ln-Fo; Thu, 26 Jul 2018 04:29:16 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1fiXto-0005lA-JB for kernel-team@lists.ubuntu.com; Thu, 26 Jul 2018 04:29:12 +0000 Received: from mail-pl0-f69.google.com ([209.85.160.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fiXto-0005oV-7m for kernel-team@lists.ubuntu.com; Thu, 26 Jul 2018 04:29:12 +0000 Received: by mail-pl0-f69.google.com with SMTP id m15-v6so349932pls.23 for ; Wed, 25 Jul 2018 21:29:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=tQBoT1co9fOvAPn0GRb58beG/6qDOmS/nPcDLKSiULs=; b=s/Vox0iBWbFjW3bQzq7zKRp8RiTgcEWo2y8LYJojdHTGHQ849PtKD2abL+wvoU5GXz KWHTKh619JywSSZW/k2R/wcLPbbDitEC11+tqBIGOgm/zTNgfl9y27I9Sp09UEuROGuO uDQ6LBvbTvGFF56BVWd01eXql86NvE559RjfxIhV8x0pCTZN6bqPaKYHatAppl2cCPGD mil7SyomU+t1c1kd6mNsoH+f8HQOMPHqJKzt2UFr2No4jZDvF+yJawCCrEn+rptVQbCw fFmC7XkDGJQYJGkbPvwkZtZo7nDwAtVv3rjGmI7OEPUAc8/Np8QFxEMR9TbGP0zlPu2e wQRQ== X-Gm-Message-State: AOUpUlG29OVGD9udKO0OIzmXnN/lYsC5tCvd5xoO1wn6y7RbNUljhJ4B pO8aNphnNz6fKIxVSW+X7M7XdMN+bhIPHM6j7Lgedn12n76nsozoEICoWYNh2ZPT79xsMWiPXKx S7OKiqAYmPbFtbG+ROkuJKBnmDLTt/IUCWyBFKfJf X-Received: by 2002:a17:902:704c:: with SMTP id h12-v6mr399679plt.237.1532579350798; Wed, 25 Jul 2018 21:29:10 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfvI8Mzdrw2wGSDezIQsq0rnxScwD+YjKvslB+4CjmkRUDFb0WnyzGHahT+Dt+xar44KkvZ4Q== X-Received: by 2002:a17:902:704c:: with SMTP id h12-v6mr399673plt.237.1532579350637; Wed, 25 Jul 2018 21:29:10 -0700 (PDT) Received: from Leggiero.taipei.internal ([175.41.48.77]) by smtp.gmail.com with ESMTPSA id y69-v6sm593483pfd.36.2018.07.25.21.29.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jul 2018 21:29:09 -0700 (PDT) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [CVE-2018-10840][Bionic][SRU][PATCH] ext4: correctly handle a zero-length xattr with a non-zero e_value_offs Date: Thu, 26 Jul 2018 12:28:33 +0800 Message-Id: <20180726042833.9697-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180726042833.9697-1-po-hsu.lin@canonical.com> References: <20180726042833.9697-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Theodore Ts'o CVE-2018-10840 Ext4 will always create ext4 extended attributes which do not have a value (where e_value_size is zero) with e_value_offs set to zero. In most places e_value_offs will not be used in a substantive way if e_value_size is zero. There was one exception to this, which is in ext4_xattr_set_entry(), where if there is a maliciously crafted file system where there is an extended attribute with e_value_offs is non-zero and e_value_size is 0, the attempt to remove this xattr will result in a negative value getting passed to memmove, leading to the following sadness: [ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) [ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000 [ 44.538733] IP: __memmove+0x81/0x1a0 [ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1 [ 44.538793] Oops: 0003 [#1] SMP PTI [ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1 ... [ 44.539475] Call Trace: [ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80 ... [ 44.539972] ext4_xattr_block_set+0x212/0xea0 ... [ 44.540041] ext4_xattr_set_handle+0x514/0x610 [ 44.540065] ext4_xattr_set+0x7f/0x120 [ 44.540090] __vfs_removexattr+0x4d/0x60 [ 44.540112] vfs_removexattr+0x75/0xe0 [ 44.540132] removexattr+0x4d/0x80 ... [ 44.540279] path_removexattr+0x91/0xb0 [ 44.540300] SyS_removexattr+0xf/0x20 [ 44.540322] do_syscall_64+0x71/0x120 [ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86 https://bugzilla.kernel.org/show_bug.cgi?id=199347 This addresses CVE-2018-10840. Reported-by: "Xu, Wen" Signed-off-by: Theodore Ts'o Reviewed-by: Andreas Dilger Cc: stable@kernel.org Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication") (cherry picked from commit 8a2b307c21d4b290e3cbe33f768f194286d07c23) Signed-off-by: Po-Hsu Lin Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- fs/ext4/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 1718354..ed1cf24 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1687,7 +1687,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, /* No failures allowed past this point. */ - if (!s->not_found && here->e_value_offs) { + if (!s->not_found && here->e_value_size && here->e_value_offs) { /* Remove the old value. */ void *first_val = s->base + min_offs; size_t offs = le16_to_cpu(here->e_value_offs);