From patchwork Fri Jul  6 05:33:29 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Khalid Elmously <khalid.elmously@canonical.com>
X-Patchwork-Id: 940267
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41MNgx4Gcmz9s4b;
	Fri,  6 Jul 2018 15:34:05 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1fbJNV-0003GQ-S7; Fri, 06 Jul 2018 05:33:57 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <khalid.elmously@canonical.com>)
	id 1fbJNU-0003GF-Ht
	for kernel-team@lists.ubuntu.com; Fri, 06 Jul 2018 05:33:56 +0000
Received: from mail-io0-f198.google.com ([209.85.223.198])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <khalid.elmously@canonical.com>)
	id 1fbJNU-0001oR-7f
	for kernel-team@lists.ubuntu.com; Fri, 06 Jul 2018 05:33:56 +0000
Received: by mail-io0-f198.google.com with SMTP id k22-v6so8809107iob.3
	for <kernel-team@lists.ubuntu.com>;
	Thu, 05 Jul 2018 22:33:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=+sqnNw/idOZNSZqJo09IMOtfodpIrcu6MRguM2IikVw=;
	b=lk+obDMowsbyA6KPSeh/BrI59dsqRozQ70ZUZW+nCyKHUop7KPGhMfoj3kiv8MYuQ+
	0SvEUDtSB6OKj2rZwiUCNtg2gonH36tZ54uUkqRi6JrgPhzFxE+EGWMNT6fV1+KjAqec
	mVkoNWp166KaihzAerXF/Akx2/aoEiulonvB19iE3DeFV4NFXx1QP7b3ZxgTfNZDmJeM
	cz4A4o71rZIpWwW3S3nFgHEjWaZsxcjXT4a3AV3n70ce+t60wMu/UoDGXslDp5rzP3JC
	/MrJR0V6HFfNvYxbUiJmUKg0AwIgrp9wy399PVLq0MG/mvsDLLT5MkgKrgmaJ7bkFO0I
	u2uQ==
X-Gm-Message-State: APt69E10uhoaGnkbuMQdtH6MyNj70l/Yys6X2WeX7RcvgDWAA3H4Jo2t
	ri/rnvS2V7twKMwoL/YIpIkd3IrhMU97Fd1p9WxNC07PexDaSWwKKNhlfcBjAzXM9e7PyrUj1Nn
	U0p+0Lo7VMbZ7c+g+lQVDSJURc0qKiSWRtI2kCwmyew==
X-Received: by 2002:a02:45cd:: with SMTP id
	o74-v6mr6860206jad.43.1530855234967;
	Thu, 05 Jul 2018 22:33:54 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpd5ZX+n4/ufr+8tnp0ie4NdxgfCWggrxc5G0ZKLr6mWyqoS3H6ODOIeqDMC/IMbg53VbLPFCQ==
X-Received: by 2002:a02:45cd:: with SMTP id
	o74-v6mr6860197jad.43.1530855234816;
	Thu, 05 Jul 2018 22:33:54 -0700 (PDT)
Received: from kbuntu.fuzzbuzz.org (198-84-180-15.cpe.teksavvy.com.
	[198.84.180.15]) by smtp.gmail.com with ESMTPSA id
	u127-v6sm3563642iod.54.2018.07.05.22.33.53
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 05 Jul 2018 22:33:53 -0700 (PDT)
From: Khalid Elmously <khalid.elmously@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][T][PATCH 1/1] xfs: set format back to extents if
	xfs_bmap_extents_to_btree
Date: Fri,  6 Jul 2018 01:33:29 -0400
Message-Id: <20180706053329.23440-3-khalid.elmously@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180706053329.23440-1-khalid.elmously@canonical.com>
References: <20180706053329.23440-1-khalid.elmously@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Eric Sandeen <sandeen@redhat.com>

CVE-2018-10323

If xfs_bmap_extents_to_btree fails in a mode where we call
xfs_iroot_realloc(-1) to de-allocate the root, set the
format back to extents.

Otherwise we can assume we can dereference ifp->if_broot
based on the XFS_DINODE_FMT_BTREE format, and crash.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
(backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 fs/xfs/xfs_bmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
index 6beb7a93a0e9..41013924bdcd 100644
--- a/fs/xfs/xfs_bmap.c
+++ b/fs/xfs/xfs_bmap.c
@@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
 	*logflagsp = 0;
 	if ((error = xfs_alloc_vextent(&args))) {
 		xfs_iroot_realloc(ip, -1, whichfork);
+		ASSERT(ifp->if_broot == NULL);
+		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
 		return error;
 	}