Fix CVE-2018-10322 CVE-2018-10323
This commit is contained in:
parent
127e4b3348
commit
813051e405
72
0001-xfs-enhance-dinode-verifier.patch
Normal file
72
0001-xfs-enhance-dinode-verifier.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
From b42db0860e13067fcc7cbfba3966c9e652668bbc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eric Sandeen <sandeen@sandeen.net>
|
||||||
|
Date: Mon, 16 Apr 2018 23:06:53 -0700
|
||||||
|
Subject: [PATCH] xfs: enhance dinode verifier
|
||||||
|
|
||||||
|
Add several more validations to xfs_dinode_verify:
|
||||||
|
|
||||||
|
- For LOCAL data fork formats, di_nextents must be 0.
|
||||||
|
- For LOCAL attr fork formats, di_anextents must be 0.
|
||||||
|
- For inodes with no attr fork offset,
|
||||||
|
- format must be XFS_DINODE_FMT_EXTENTS if set at all
|
||||||
|
- di_anextents must be 0.
|
||||||
|
|
||||||
|
Thanks to dchinner for pointing out a couple related checks I had
|
||||||
|
forgotten to add.
|
||||||
|
|
||||||
|
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||||
|
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199377
|
||||||
|
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||||
|
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||||
|
---
|
||||||
|
fs/xfs/libxfs/xfs_inode_buf.c | 21 +++++++++++++++++++++
|
||||||
|
1 file changed, 21 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
|
||||||
|
index ef68b1de006a..1201107eabc6 100644
|
||||||
|
--- a/fs/xfs/libxfs/xfs_inode_buf.c
|
||||||
|
+++ b/fs/xfs/libxfs/xfs_inode_buf.c
|
||||||
|
@@ -466,6 +466,8 @@ xfs_dinode_verify(
|
||||||
|
return __this_address;
|
||||||
|
if (di_size > XFS_DFORK_DSIZE(dip, mp))
|
||||||
|
return __this_address;
|
||||||
|
+ if (dip->di_nextents)
|
||||||
|
+ return __this_address;
|
||||||
|
/* fall through */
|
||||||
|
case XFS_DINODE_FMT_EXTENTS:
|
||||||
|
case XFS_DINODE_FMT_BTREE:
|
||||||
|
@@ -484,12 +486,31 @@ xfs_dinode_verify(
|
||||||
|
if (XFS_DFORK_Q(dip)) {
|
||||||
|
switch (dip->di_aformat) {
|
||||||
|
case XFS_DINODE_FMT_LOCAL:
|
||||||
|
+ if (dip->di_anextents)
|
||||||
|
+ return __this_address;
|
||||||
|
+ /* fall through */
|
||||||
|
case XFS_DINODE_FMT_EXTENTS:
|
||||||
|
case XFS_DINODE_FMT_BTREE:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return __this_address;
|
||||||
|
}
|
||||||
|
+ } else {
|
||||||
|
+ /*
|
||||||
|
+ * If there is no fork offset, this may be a freshly-made inode
|
||||||
|
+ * in a new disk cluster, in which case di_aformat is zeroed.
|
||||||
|
+ * Otherwise, such an inode must be in EXTENTS format; this goes
|
||||||
|
+ * for freed inodes as well.
|
||||||
|
+ */
|
||||||
|
+ switch (dip->di_aformat) {
|
||||||
|
+ case 0:
|
||||||
|
+ case XFS_DINODE_FMT_EXTENTS:
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ return __this_address;
|
||||||
|
+ }
|
||||||
|
+ if (dip->di_anextents)
|
||||||
|
+ return __this_address;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* only version 3 or greater inodes are extensively verified here */
|
||||||
|
--
|
||||||
|
2.17.0
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From 2c4306f719b083d17df2963bc761777576b8ad1b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eric Sandeen <sandeen@redhat.com>
|
||||||
|
Date: Mon, 16 Apr 2018 23:07:27 -0700
|
||||||
|
Subject: [PATCH] xfs: set format back to extents if xfs_bmap_extents_to_btree
|
||||||
|
|
||||||
|
If xfs_bmap_extents_to_btree fails in a mode where we call
|
||||||
|
xfs_iroot_realloc(-1) to de-allocate the root, set the
|
||||||
|
format back to extents.
|
||||||
|
|
||||||
|
Otherwise we can assume we can dereference ifp->if_broot
|
||||||
|
based on the XFS_DINODE_FMT_BTREE format, and crash.
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
|
||||||
|
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||||
|
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
||||||
|
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||||
|
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||||
|
---
|
||||||
|
fs/xfs/libxfs/xfs_bmap.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
|
||||||
|
index 6a7c2f03ea11..040eeda8426f 100644
|
||||||
|
--- a/fs/xfs/libxfs/xfs_bmap.c
|
||||||
|
+++ b/fs/xfs/libxfs/xfs_bmap.c
|
||||||
|
@@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
|
||||||
|
*logflagsp = 0;
|
||||||
|
if ((error = xfs_alloc_vextent(&args))) {
|
||||||
|
xfs_iroot_realloc(ip, -1, whichfork);
|
||||||
|
+ ASSERT(ifp->if_broot == NULL);
|
||||||
|
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
|
||||||
|
xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
|
||||||
|
xfs_iroot_realloc(ip, -1, whichfork);
|
||||||
|
+ ASSERT(ifp->if_broot == NULL);
|
||||||
|
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
|
||||||
|
xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
|
||||||
|
return -ENOSPC;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.17.0
|
||||||
|
|
10
kernel.spec
10
kernel.spec
@ -649,6 +649,12 @@ Patch508: Bluetooth-btusb-autosuspend-XPS-13-9360-fixes.patch
|
|||||||
# rhbz 1572944
|
# rhbz 1572944
|
||||||
Patch509: Revert-the-random-series-for-4.16.4.patch
|
Patch509: Revert-the-random-series-for-4.16.4.patch
|
||||||
|
|
||||||
|
# CVE-2018-10322 rhbz 1571623 1571624
|
||||||
|
Patch510: 0001-xfs-enhance-dinode-verifier.patch
|
||||||
|
|
||||||
|
# CVE-2018-10323 rhbz 1571627 1571630
|
||||||
|
Patch511: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1921,6 +1927,10 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 04 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||||
|
- Fix CVE-2018-10322 (rhbz 1571623 1571624)
|
||||||
|
- Fix CVE-2018-10323 (rhbz 1571627 1571630)
|
||||||
|
|
||||||
* Wed May 02 2018 Jeremy Cline <jeremy@jcline.org> - 4.16.7-100
|
* Wed May 02 2018 Jeremy Cline <jeremy@jcline.org> - 4.16.7-100
|
||||||
- Linux v4.16.7
|
- Linux v4.16.7
|
||||||
- Revert a second patch related to CVE-2018-1108 4.16.4 (rhbz 1572944)
|
- Revert a second patch related to CVE-2018-1108 4.16.4 (rhbz 1572944)
|
||||||
|
Loading…
Reference in New Issue
Block a user