From patchwork Thu Jul 26 08:41:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 949539 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41bltn6HLtz9s2x; Thu, 26 Jul 2018 18:41:21 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1fibpk-0000uM-7i; Thu, 26 Jul 2018 08:41:16 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1fibph-0000tF-4X for kernel-team@lists.ubuntu.com; Thu, 26 Jul 2018 08:41:13 +0000 Received: from mail-pg1-f197.google.com ([209.85.215.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fibpg-0004kG-Os for kernel-team@lists.ubuntu.com; Thu, 26 Jul 2018 08:41:12 +0000 Received: by mail-pg1-f197.google.com with SMTP id y16-v6so619270pgv.23 for ; Thu, 26 Jul 2018 01:41:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=PAyqC7uCD6fEVI9BkVWSlXyCa1Z8PFjTys6CJwEONaQ=; b=iuPLlJOI2+GSjbJXk8+O41NzCamTkURHl/vkkLy188wdPac3J6kl5MESpGpmOylJsy rvO3G4A7nyY2obKsFWkx04UMa/A0+9DRfYrQNvujmTi0scn92kM3JNpodcry6QvZ10S5 oL20luQyqFV7xo3ajIlxXGUIq2W6HlaaeWTNylbAU9QblKFeXvnXs/ZBgJNKgnt+BYZU yTpapPaSFc+2T59/8jMUjCR+WM5FN4QZQTIUwwX88CNytiS/gp6D+SyKQnExtf72hlwm wfnRDLL+YVCj9NnuZKh2d7sGm5DI2MVbpLbv6MhuN2IeF/qNXCgQzJA5aNdMQBC+XY9C XNnA== X-Gm-Message-State: AOUpUlE/TAgO3xoSYgoQBkRQ3O+CYYPLRqKu+sgT6x+d3jnzbZoFksl8 jqCkr3bMi1EnJ6iIqsGeI9qlcBjHGiFGQHWg3MFBI9UpUXp/w3me2meAZIBRGG2PcJU9Q7sEaNe XbZ9AEJCWM4WFV98RE/reJ/5RGHKblDatTUdj4pHz X-Received: by 2002:a62:3545:: with SMTP id c66-v6mr1155367pfa.63.1532594471290; Thu, 26 Jul 2018 01:41:11 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeee16UP1NY3nS6/hYkgk9jqbdbIPzMoEUGhyPgTr7K+xHkoPUTGPl6U6Ef2o4On5y8xvBmEA== X-Received: by 2002:a62:3545:: with SMTP id c66-v6mr1155356pfa.63.1532594471128; Thu, 26 Jul 2018 01:41:11 -0700 (PDT) Received: from Leggiero.taipei.internal ([175.41.48.77]) by smtp.gmail.com with ESMTPSA id s27-v6sm1586743pfk.133.2018.07.26.01.41.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 01:41:10 -0700 (PDT) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [CVE-2018-11412][Bionic][SRU][PATCH 1/1] ext4: do not allow external inodes for inline data Date: Thu, 26 Jul 2018 16:41:02 +0800 Message-Id: <20180726084102.29175-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180726084102.29175-1-po-hsu.lin@canonical.com> References: <20180726084102.29175-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Theodore Ts'o CVE-2018-11412 The inline data feature was implemented before we added support for external inodes for xattrs. It makes no sense to support that combination, but the problem is that there are a number of extended attribute checks that are skipped if e_value_inum is non-zero. Unfortunately, the inline data code is completely e_value_inum unaware, and attempts to interpret the xattr fields as if it were an inline xattr --- at which point, Hilarty Ensues. This addresses CVE-2018-11412. https://bugzilla.kernel.org/show_bug.cgi?id=199803 Reported-by: Jann Horn Reviewed-by: Andreas Dilger Signed-off-by: Theodore Ts'o Fixes: e50e5129f384 ("ext4: xattr-in-inode support") Cc: stable@kernel.org (cherry picked from commit 117166efb1ee8f13c38f9e96b258f16d4923f888) Signed-off-by: Po-Hsu Lin Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- fs/ext4/inline.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index 1367553c43bb..1e10eb9aa6f8 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -151,6 +151,12 @@ int ext4_find_inline_data_nolock(struct inode *inode) goto out; if (!is.s.not_found) { + if (is.s.here->e_value_inum) { + EXT4_ERROR_INODE(inode, "inline data xattr refers " + "to an external xattr inode"); + error = -EFSCORRUPTED; + goto out; + } EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - (void *)ext4_raw_inode(&is.iloc)); EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +