diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index 1ce6141b3..24354cbf8 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -110,6 +110,7 @@ class Gencontrol(Base): makeflags = makeflags.copy() makeflags['ALL_FEATURESETS'] = ' '.join(fs_enabled) makeflags['ALL_TRIPLETS'] = ' '.join(triplet_enabled) + makeflags['SOURCE_BASENAME'] = self.vars['source_basename'] if not self.config.merge('packages').get('docs', True): makeflags['DO_DOCS'] = False if not self.config.merge('packages').get('source', True): @@ -207,10 +208,6 @@ class Gencontrol(Base): else: makeflags['DO_LIBC'] = False - if not self.config.merge('packages').get('tools', True): - makeflags['DO_TOOLS'] = False - - merge_packages(packages, packages_headers_arch, arch) cmds_build_arch = ["$(MAKE) -f debian/rules.real build-arch-arch %s" % makeflags] diff --git a/debian/changelog b/debian/changelog index 499967287..9c0441164 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,7 +14,7 @@ linux (4.18~rc3-1~exp1) UNRELEASED; urgency=medium -- Ben Hutchings Tue, 26 Jun 2018 01:43:53 +0100 -linux (4.17.3-1) UNRELEASED; urgency=medium +linux (4.17.3-1) unstable; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.3 @@ -86,6 +86,7 @@ linux (4.17.3-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * [amd64,arm64,armhf] android: Build modules to support Anbox (Closes: #901492) + - Export symbols needed by Android drivers - Enable building ashmem and binder as modules - Enable ANDROID - Enable ANDROID_BINDER_IPC, ASHMEM as modules @@ -98,14 +99,42 @@ linux (4.17.3-1) UNRELEASED; urgency=medium (CVE-2018-12633) * [x86] vboxguest: Enable VBOXGUEST and DRM_VBOXVIDEO as modules * aufs: Update support patchset to aufs4.x-rcN-20180611 + * debian/rules.d/scripts/mod/gendef.py: Use Python 3 + * debian/rules: Fix pkg.linux.notools build profile + * tracing: Check for no filter when processing event filters (CVE-2018-12714) + * dm: Enable DM_INTEGRITY as module (except on armel) (Closes: #896649) + * debian/lib/python/debian_linux/debian.py: Accept arbitrary revision + suffixes (Closes: #898087) + * ext4: add corruption check in ext4_xattr_set_entry() (CVE-2018-10879) + * ext4: always verify the magic number in xattr blocks (CVE-2018-10879) + * ext4: always check block group bounds in ext4_init_block_bitmap() + (CVE-2018-10878) + * ext4: make sure bitmaps and the inode table don't overlap with bg + descriptors (CVE-2018-10878) + * ext4: only look at the bg_flags field if it is valid (CVE-2018-10876) + * ext4: verify the depth of extent tree in ext4_find_extent() + (CVE-2018-10877) + * ext4: clear i_data in ext4_inode_info when removing inline data + (CVE-2018-10881) + * ext4: never move the system.data xattr out of the inode body + (CVE-2018-10880) + * jbd2: don't mark block as modified if the handle is out of credits + (CVE-2018-10883) + * ext4: avoid running out of journal credits when appending to an inline file + (CVE-2018-10883) + * ext4: add more inode number paranoia checks (CVE-2018-10882) + * jfs: Fix inconsistency between memory allocation and ea_buf->max_size + (CVE-2018-12233) + * debian/control: Move bison and flex to Build-Depends (Closes: #901712) [ Romain Perier ] * [x86] amdgpu: Enable DCN 1.0 Raven family (Closes: #901349) + * [armhf] Enable missing SND_EDMA_SOC for davinci-mcasp on the BeagleBoneBlack [ Vagrant Cascadian ] * [arm64] Add device-tree to support Pinebook. - -- Ben Hutchings Fri, 22 Jun 2018 17:34:37 +0100 + -- Ben Hutchings Mon, 02 Jul 2018 22:13:27 +0100 linux (4.17.2-1~exp1) experimental; urgency=medium diff --git a/debian/config/armel/config.marvell b/debian/config/armel/config.marvell index d488eed7f..92f20c2f2 100644 --- a/debian/config/armel/config.marvell +++ b/debian/config/armel/config.marvell @@ -337,6 +337,11 @@ CONFIG_LEDS_NETXBIG=m CONFIG_LEDS_TRIGGER_TIMER=y CONFIG_LEDS_TRIGGER_DEFAULT_ON=y +## +## file: drivers/md/Kconfig +## +# CONFIG_DM_INTEGRITY is not set + ## ## file: drivers/mmc/Kconfig ## diff --git a/debian/config/armhf/config b/debian/config/armhf/config index 6bac7bf73..964344ed4 100644 --- a/debian/config/armhf/config +++ b/debian/config/armhf/config @@ -1325,6 +1325,11 @@ CONFIG_NET_SWITCHDEV=y ## CONFIG_SND_HDA_TEGRA=m +## +## file: sound/soc/davinci/Kconfig +## +CONFIG_SND_EDMA_SOC=m + ## ## file: sound/soc/Kconfig ## diff --git a/debian/config/config b/debian/config/config index e5b9af6e8..3da4f3aa6 100644 --- a/debian/config/config +++ b/debian/config/config @@ -1791,6 +1791,7 @@ CONFIG_DM_FLAKEY=m CONFIG_DM_VERITY=m CONFIG_DM_SWITCH=m CONFIG_DM_LOG_WRITES=m +CONFIG_DM_INTEGRITY=m ## ## file: drivers/md/bcache/Kconfig diff --git a/debian/lib/python/debian_linux/debian.py b/debian/lib/python/debian_linux/debian.py index 759f777d0..afc956ef0 100644 --- a/debian/lib/python/debian_linux/debian.py +++ b/debian/lib/python/debian_linux/debian.py @@ -1,6 +1,7 @@ import collections import os.path import re +import unittest from . import utils @@ -92,34 +93,30 @@ class Changelog(list): top_match = bottom_match = None class Version(object): - _version_rules = r""" -^ -(?: - (?P - \d+ - ) - : -)? -(?P - .+? -) -(?: - - - (?P[^-]+) -)? -$ -""" - _version_re = re.compile(_version_rules, re.X) + _epoch_re = re.compile(r'\d+$') + _upstream_re = re.compile(r'[0-9][A-Za-z0-9.+\-:~]*$') + _revision_re = re.compile(r'[A-Za-z0-9+.~]+$') def __init__(self, version): - match = self._version_re.match(version) - if match is None: + try: + split = version.index(':') + except ValueError: + epoch, rest = None, version + else: + epoch, rest = version[0:split], version[split+1:] + try: + split = rest.rindex('-') + except ValueError: + upstream, revision = rest, None + else: + upstream, revision = rest[0:split], rest[split+1:] + if ((epoch is not None and not self._epoch_re.match(epoch)) or + not self._upstream_re.match(upstream) or + (revision is not None and not self._revision_re.match(revision))): raise RuntimeError(u"Invalid debian version") - self.epoch = None - if match.group("epoch") is not None: - self.epoch = int(match.group("epoch")) - self.upstream = match.group("upstream") - self.revision = match.group("revision") + self.epoch = epoch and int(epoch) + self.upstream = upstream + self.revision = revision def __str__(self): return self.complete @@ -143,9 +140,81 @@ $ return self.revision +class _VersionTest(unittest.TestCase): + def test_native(self): + v = Version('1.2+c~4') + self.assertEqual(v.epoch, None) + self.assertEqual(v.upstream, '1.2+c~4') + self.assertEqual(v.revision, None) + self.assertEqual(v.complete, '1.2+c~4') + self.assertEqual(v.complete_noepoch, '1.2+c~4') + + def test_nonnative(self): + v = Version('1-2+d~3') + self.assertEqual(v.epoch, None) + self.assertEqual(v.upstream, '1') + self.assertEqual(v.revision, '2+d~3') + self.assertEqual(v.complete, '1-2+d~3') + self.assertEqual(v.complete_noepoch, '1-2+d~3') + + def test_native_epoch(self): + v = Version('5:1.2.3') + self.assertEqual(v.epoch, 5) + self.assertEqual(v.upstream, '1.2.3') + self.assertEqual(v.revision, None) + self.assertEqual(v.complete, '5:1.2.3') + self.assertEqual(v.complete_noepoch, '1.2.3') + + def test_nonnative_epoch(self): + v = Version('5:1.2.3-4') + self.assertEqual(v.epoch, 5) + self.assertEqual(v.upstream, '1.2.3') + self.assertEqual(v.revision, '4') + self.assertEqual(v.complete, '5:1.2.3-4') + self.assertEqual(v.complete_noepoch, '1.2.3-4') + + def test_multi_hyphen(self): + v = Version('1-2-3') + self.assertEqual(v.epoch, None) + self.assertEqual(v.upstream, '1-2') + self.assertEqual(v.revision, '3') + self.assertEqual(v.complete, '1-2-3') + + def test_multi_colon(self): + v = Version('1:2:3') + self.assertEqual(v.epoch, 1) + self.assertEqual(v.upstream, '2:3') + self.assertEqual(v.revision, None) + + def test_invalid_epoch(self): + with self.assertRaises(RuntimeError): + v = Version('a:1') + with self.assertRaises(RuntimeError): + v = Version('-1:1') + with self.assertRaises(RuntimeError): + v = Version('1a:1') + + def test_invalid_upstream(self): + with self.assertRaises(RuntimeError): + v = Version('1_2') + with self.assertRaises(RuntimeError): + v = Version('1/2') + with self.assertRaises(RuntimeError): + v = Version('a1') + with self.assertRaises(RuntimeError): + v = Version('1 2') + + def test_invalid_revision(self): + with self.assertRaises(RuntimeError): + v = Version('1-2_3') + with self.assertRaises(RuntimeError): + v = Version('1-2/3') + with self.assertRaises(RuntimeError): + v = Version('1-2:3') + + class VersionLinux(Version): - _version_linux_rules = r""" -^ + _upstream_re = re.compile(r""" (?P \d+\.\d+ ) @@ -165,7 +234,9 @@ class VersionLinux(Version): \d+ ) )? -- +$ + """, re.X) + _revision_re = re.compile(r""" \d+ (\.\d+)? (?: @@ -174,27 +245,27 @@ class VersionLinux(Version): ) | (?P - [~+]deb\d+u\d+ + (?:[~+]deb\d+u\d+)+ )? (?P ~bpo\d+\+\d+ )? | (?P - [^-+]+ + .+? ) ) (?:\+b\d+)? $ -""" - _version_linux_re = re.compile(_version_linux_rules, re.X) + """, re.X) def __init__(self, version): super(VersionLinux, self).__init__(version) - match = self._version_linux_re.match(version) - if match is None: + up_match = self._upstream_re.match(self.upstream) + rev_match = self._revision_re.match(self.revision) + if up_match is None or rev_match is None: raise RuntimeError(u"Invalid debian linux version") - d = match.groupdict() + d = up_match.groupdict() self.linux_modifier = d['modifier'] self.linux_version = d['version'] if d['modifier'] is not None: @@ -204,10 +275,122 @@ $ self.linux_upstream = d['version'] self.linux_upstream_full = self.linux_upstream + d['update'] self.linux_dfsg = d['dfsg'] - self.linux_revision_experimental = match.group('revision_experimental') and True - self.linux_revision_security = match.group('revision_security') and True - self.linux_revision_backports = match.group('revision_backports') and True - self.linux_revision_other = match.group('revision_other') and True + d = rev_match.groupdict() + self.linux_revision_experimental = d['revision_experimental'] and True + self.linux_revision_security = d['revision_security'] and True + self.linux_revision_backports = d['revision_backports'] and True + self.linux_revision_other = d['revision_other'] and True + + +class _VersionLinuxTest(unittest.TestCase): + def test_stable(self): + v = VersionLinux('1.2.3-4') + self.assertEqual(v.linux_version, '1.2') + self.assertEqual(v.linux_upstream, '1.2') + self.assertEqual(v.linux_upstream_full, '1.2.3') + self.assertEqual(v.linux_modifier, None) + self.assertEqual(v.linux_dfsg, None) + self.assertFalse(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_rc(self): + v = VersionLinux('1.2~rc3-4') + self.assertEqual(v.linux_version, '1.2') + self.assertEqual(v.linux_upstream, '1.2-rc3') + self.assertEqual(v.linux_upstream_full, '1.2-rc3') + self.assertEqual(v.linux_modifier, 'rc3') + self.assertEqual(v.linux_dfsg, None) + self.assertFalse(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_dfsg(self): + v = VersionLinux('1.2~rc3.dfsg.1-4') + self.assertEqual(v.linux_version, '1.2') + self.assertEqual(v.linux_upstream, '1.2-rc3') + self.assertEqual(v.linux_upstream_full, '1.2-rc3') + self.assertEqual(v.linux_modifier, 'rc3') + self.assertEqual(v.linux_dfsg, '1') + self.assertFalse(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_experimental(self): + v = VersionLinux('1.2~rc3-4~exp5') + self.assertEqual(v.linux_upstream_full, '1.2-rc3') + self.assertTrue(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_security(self): + v = VersionLinux('1.2.3-4+deb10u1') + self.assertEqual(v.linux_upstream_full, '1.2.3') + self.assertFalse(v.linux_revision_experimental) + self.assertTrue(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_backports(self): + v = VersionLinux('1.2.3-4~bpo9+10') + self.assertEqual(v.linux_upstream_full, '1.2.3') + self.assertFalse(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertTrue(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_security_backports(self): + v = VersionLinux('1.2.3-4+deb10u1~bpo9+10') + self.assertEqual(v.linux_upstream_full, '1.2.3') + self.assertFalse(v.linux_revision_experimental) + self.assertTrue(v.linux_revision_security) + self.assertTrue(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_lts_backports(self): + # Backport during LTS, as an extra package in the -security + # suite. Since this is not part of a -backports suite it + # shouldn't get the linux_revision_backports flag. + v = VersionLinux('1.2.3-4~deb9u10') + self.assertEqual(v.linux_upstream_full, '1.2.3') + self.assertFalse(v.linux_revision_experimental) + self.assertTrue(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_lts_backports_2(self): + # Same but with two security extensions in the revision. + v = VersionLinux('1.2.3-4+deb10u1~deb9u10') + self.assertEqual(v.linux_upstream_full, '1.2.3') + self.assertFalse(v.linux_revision_experimental) + self.assertTrue(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_binnmu(self): + v = VersionLinux('1.2.3-4+b1') + self.assertFalse(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertFalse(v.linux_revision_other) + + def test_other_revision(self): + v = VersionLinux('4.16.5-1+revert+crng+ready') # from #898087 + self.assertFalse(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertTrue(v.linux_revision_other) + + def test_other_revision_binnmu(self): + v = VersionLinux('4.16.5-1+revert+crng+ready+b1') + self.assertFalse(v.linux_revision_experimental) + self.assertFalse(v.linux_revision_security) + self.assertFalse(v.linux_revision_backports) + self.assertTrue(v.linux_revision_other) class PackageArchitecture(collections.MutableSet): @@ -501,3 +684,7 @@ class TestsControl(_ControlFileDict): ('Tests-Directory', str), ('Classes', str), )) + + +if __name__ == '__main__': + unittest.main() diff --git a/debian/patches/bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch b/debian/patches/bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch new file mode 100644 index 000000000..8c4c722af --- /dev/null +++ b/debian/patches/bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch @@ -0,0 +1,48 @@ +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 00:23:11 -0400 +Subject: ext4: add corruption check in ext4_xattr_set_entry() +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=4fda60bbdbb61de76e3d3c48ed77c9e9b96b00d1 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879 + +In theory this should have been caught earlier when the xattr list was +verified, but in case it got missed, it's simple enough to add check +to make sure we don't overrun the xattr buffer. + +This addresses CVE-2018-10879. + +https://bugzilla.kernel.org/show_bug.cgi?id=200001 + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +--- + fs/ext4/xattr.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index fc4ced59c565..230ba79715f6 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + handle_t *handle, struct inode *inode, + bool is_block) + { +- struct ext4_xattr_entry *last; ++ struct ext4_xattr_entry *last, *next; + struct ext4_xattr_entry *here = s->here; + size_t min_offs = s->end - s->base, name_len = strlen(i->name); + int in_inode = i->in_inode; +@@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + + /* Compute min_offs and last. */ + last = s->first; +- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ for (; !IS_LAST_ENTRY(last); last = next) { ++ next = EXT4_XATTR_NEXT(last); ++ if ((void *)next >= s->end) { ++ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); ++ ret = -EFSCORRUPTED; ++ goto out; ++ } + if (!last->e_value_inum && last->e_value_size) { + size_t offs = le16_to_cpu(last->e_value_offs); + if (offs < min_offs) diff --git a/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch b/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch new file mode 100644 index 000000000..5a509ea49 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch @@ -0,0 +1,63 @@ +From: Theodore Ts'o +Date: Sun, 17 Jun 2018 00:41:14 -0400 +Subject: ext4: add more inode number paranoia checks +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=a0b4bd6c4418a8d2ba51f27968f5af005e5dbbdd +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10882 + +If there is a directory entry pointing to a system inode (such as a +journal inode), complain and declare the file system to be corrupted. + +Also, if the superblock's first inode number field is too small, +refuse to mount the file system. + +This addresses CVE-2018-10882. + +https://bugzilla.kernel.org/show_bug.cgi?id=200069 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/ext4.h | 5 ----- + fs/ext4/inode.c | 3 ++- + fs/ext4/super.c | 5 +++++ + 3 files changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1501,11 +1501,6 @@ static inline struct ext4_inode_info *EX + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +- ino == EXT4_USR_QUOTA_INO || +- ino == EXT4_GRP_QUOTA_INO || +- ino == EXT4_BOOT_LOADER_INO || +- ino == EXT4_JOURNAL_INO || +- ino == EXT4_RESIZE_INO || + (ino >= EXT4_FIRST_INO(sb) && + ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); + } +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4506,7 +4506,8 @@ static int __ext4_get_inode_loc(struct i + int inodes_per_block, inode_offset; + + iloc->bh = NULL; +- if (!ext4_valid_inum(sb, inode->i_ino)) ++ if (inode->i_ino < EXT4_ROOT_INO || ++ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) + return -EFSCORRUPTED; + + iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3817,6 +3817,11 @@ static int ext4_fill_super(struct super_ + } else { + sbi->s_inode_size = le16_to_cpu(es->s_inode_size); + sbi->s_first_ino = le32_to_cpu(es->s_first_ino); ++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { ++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", ++ sbi->s_first_ino); ++ goto failed_mount; ++ } + if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || + (!is_power_of_2(sbi->s_inode_size)) || + (sbi->s_inode_size > blocksize)) { diff --git a/debian/patches/bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch b/debian/patches/bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch new file mode 100644 index 000000000..f527b2a2e --- /dev/null +++ b/debian/patches/bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch @@ -0,0 +1,53 @@ +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 23:00:48 -0400 +Subject: ext4: always check block group bounds in ext4_init_block_bitmap() +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=dcf37fefac3f699aa1341f86bcd7808ccc651c33 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10878 + +Regardless of whether the flex_bg feature is set, we should always +check to make sure the bits we are setting in the block bitmap are +within the block group bounds. + +https://bugzilla.kernel.org/show_bug.cgi?id=199865 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/balloc.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct + unsigned int bit, bit_max; + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t start, tmp; +- int flex_bg = 0; + + J_ASSERT_BH(bh, buffer_locked(bh)); + +@@ -207,22 +206,19 @@ static int ext4_init_block_bitmap(struct + + start = ext4_group_first_block_no(sb, block_group); + +- if (ext4_has_feature_flex_bg(sb)) +- flex_bg = 1; +- + /* Set bits for block and inode bitmaps, and inode table */ + tmp = ext4_block_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_table(sb, gdp); + for (; tmp < ext4_inode_table(sb, gdp) + + sbi->s_itb_per_group; tmp++) { +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + } + diff --git a/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch b/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch new file mode 100644 index 000000000..2522bcb4c --- /dev/null +++ b/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch @@ -0,0 +1,45 @@ +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 00:51:28 -0400 +Subject: ext4: always verify the magic number in xattr blocks +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3345c50533c6a17ebc0284362ca7b69aaef37ac4 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879 + +If there an inode points to a block which is also some other type of +metadata block (such as a block allocation bitmap), the +buffer_verified flag can be set when it was validated as that other +metadata block type; however, it would make a really terrible external +attribute block. The reason why we use the verified flag is to avoid +constantly reverifying the block. However, it doesn't take much +overhead to make sure the magic number of the xattr block is correct, +and this will avoid potential crashes. + +This addresses CVE-2018-10879. + +https://bugzilla.kernel.org/show_bug.cgi?id=200001 + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +--- + fs/ext4/xattr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 230ba79715f6..0263692979ec 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -230,12 +230,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh, + { + int error = -EFSCORRUPTED; + +- if (buffer_verified(bh)) +- return 0; +- + if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || + BHDR(bh)->h_blocks != cpu_to_le32(1)) + goto errout; ++ if (buffer_verified(bh)) ++ return 0; ++ + error = -EFSBADCRC; + if (!ext4_xattr_block_csum_verify(inode, bh)) + goto errout; diff --git a/debian/patches/bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch b/debian/patches/bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch new file mode 100644 index 000000000..911fcac74 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch @@ -0,0 +1,120 @@ +From: Theodore Ts'o +Date: Sat, 16 Jun 2018 23:41:59 -0400 +Subject: ext4: avoid running out of journal credits when appending to an + inline file +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3886651521995071fab29401094e675b6ebfdc8c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10883 + +Use a separate journal transaction if it turns out that we need to +convert an inline file to use an data block. Otherwise we could end +up failing due to not having journal credits. + +This addresses CVE-2018-10883. + +https://bugzilla.kernel.org/show_bug.cgi?id=200071 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/ext4.h | 3 --- + fs/ext4/inline.c | 38 +------------------------------------- + fs/ext4/xattr.c | 19 ++----------------- + 3 files changed, 3 insertions(+), 57 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -3005,9 +3005,6 @@ extern int ext4_inline_data_fiemap(struc + struct iomap; + extern int ext4_inline_data_iomap(struct inode *inode, struct iomap *iomap); + +-extern int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed); + extern int ext4_inline_data_truncate(struct inode *inode, int *has_inline); + + extern int ext4_convert_inline_data(struct inode *inode); +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -887,11 +887,11 @@ retry_journal: + flags |= AOP_FLAG_NOFS; + + if (ret == -ENOSPC) { ++ ext4_journal_stop(handle); + ret = ext4_da_convert_inline_data_to_extent(mapping, + inode, + flags, + fsdata); +- ext4_journal_stop(handle); + if (ret == -ENOSPC && + ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry_journal; +@@ -1891,42 +1891,6 @@ out: + return (error < 0 ? error : 0); + } + +-/* +- * Called during xattr set, and if we can sparse space 'needed', +- * just create the extent tree evict the data to the outer block. +- * +- * We use jbd2 instead of page cache to move data to the 1st block +- * so that the whole transaction can be committed as a whole and +- * the data isn't lost because of the delayed page cache write. +- */ +-int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed) +-{ +- int error; +- struct ext4_xattr_entry *entry; +- struct ext4_inode *raw_inode; +- struct ext4_iloc iloc; +- +- error = ext4_get_inode_loc(inode, &iloc); +- if (error) +- return error; +- +- raw_inode = ext4_raw_inode(&iloc); +- entry = (struct ext4_xattr_entry *)((void *)raw_inode + +- EXT4_I(inode)->i_inline_off); +- if (EXT4_XATTR_LEN(entry->e_name_len) + +- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) { +- error = -ENOSPC; +- goto out; +- } +- +- error = ext4_convert_inline_data_nolock(handle, inode, &iloc); +-out: +- brelse(iloc.bh); +- return error; +-} +- + int ext4_inline_data_truncate(struct inode *inode, int *has_inline) + { + handle_t *handle; +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2212,23 +2212,8 @@ int ext4_xattr_ibody_inline_set(handle_t + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; + error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */); +- if (error) { +- if (error == -ENOSPC && +- ext4_has_inline_data(inode)) { +- error = ext4_try_to_evict_inline_data(handle, inode, +- EXT4_XATTR_LEN(strlen(i->name) + +- EXT4_XATTR_SIZE(i->value_len))); +- if (error) +- return error; +- error = ext4_xattr_ibody_find(inode, i, is); +- if (error) +- return error; +- error = ext4_xattr_set_entry(i, s, handle, inode, +- false /* is_block */); +- } +- if (error) +- return error; +- } ++ if (error) ++ return error; + header = IHDR(inode, ext4_raw_inode(&is->iloc)); + if (!IS_LAST_ENTRY(s->first)) { + header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC); diff --git a/debian/patches/bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch b/debian/patches/bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch new file mode 100644 index 000000000..f4344dd1f --- /dev/null +++ b/debian/patches/bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch @@ -0,0 +1,42 @@ +From: Theodore Ts'o +Date: Fri, 15 Jun 2018 12:28:16 -0400 +Subject: ext4: clear i_data in ext4_inode_info when removing inline data +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=cd75e020ee28aa21985c6d8ebafc7457b4c51531 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10881 + +When converting from an inode from storing the data in-line to a data +block, ext4_destroy_inline_data_nolock() was only clearing the on-disk +copy of the i_blocks[] array. It was not clearing copy of the +i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually +used by ext4_map_blocks(). + +This didn't matter much if we are using extents, since the extents +header would be invalid and thus the extents could would re-initialize +the extents tree. But if we are using indirect blocks, the previous +contents of the i_blocks array will be treated as block numbers, with +potentially catastrophic results to the file system integrity and/or +user data. + +This gets worse if the file system is using a 1k block size and +s_first_data is zero, but even without this, the file system can get +quite badly corrupted. + +This addresses CVE-2018-10881. + +https://bugzilla.kernel.org/show_bug.cgi?id=200015 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/inline.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -437,6 +437,7 @@ static int ext4_destroy_inline_data_nolo + + memset((void *)ext4_raw_inode(&is.iloc)->i_block, + 0, EXT4_MIN_INLINE_DATA_SIZE); ++ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE); + + if (ext4_has_feature_extents(inode->i_sb)) { + if (S_ISDIR(inode->i_mode) || diff --git a/debian/patches/bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch b/debian/patches/bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch new file mode 100644 index 000000000..a1b2cfefd --- /dev/null +++ b/debian/patches/bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch @@ -0,0 +1,74 @@ +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 23:08:26 -0400 +Subject: ext4: make sure bitmaps and the inode table don't overlap with bg + descriptors +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=6b506a7d09854128b1da9571d879ee9dea3ffb02 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10878 + +It's really bad when the allocation bitmaps and the inode table +overlap with the block group descriptors, since it causes random +corruption of the bg descriptors. So we really want to head those off +at the pass. + +https://bugzilla.kernel.org/show_bug.cgi?id=199865 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/super.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2307,6 +2307,7 @@ static int ext4_check_descriptors(struct + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); + ext4_fsblk_t last_block; ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; + ext4_fsblk_t block_bitmap; + ext4_fsblk_t inode_bitmap; + ext4_fsblk_t inode_table; +@@ -2339,6 +2340,14 @@ static int ext4_check_descriptors(struct + if (!sb_rdonly(sb)) + return 0; + } ++ if (block_bitmap >= sb_block + 1 && ++ block_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Block bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u not in group " +@@ -2353,6 +2362,14 @@ static int ext4_check_descriptors(struct + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_bitmap >= sb_block + 1 && ++ inode_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u not in group " +@@ -2367,6 +2384,14 @@ static int ext4_check_descriptors(struct + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_table >= sb_block + 1 && ++ inode_table <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode table for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " diff --git a/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch new file mode 100644 index 000000000..ea530a7a2 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch @@ -0,0 +1,34 @@ +From: Theodore Ts'o +Date: Sat, 16 Jun 2018 15:40:48 -0400 +Subject: ext4: never move the system.data xattr out of the inode body +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=896003d9fd652666080a06411d4238ee6eb4fb76 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10880 + +When expanding the extra isize space, we must never move the +system.data xattr out of the inode body. For performance reasons, it +doesn't make any sense, and the inline data implementation assumes +that system.data xattr is never in the external xattr block. + +This addresses CVE-2018-10880 + +https://bugzilla.kernel.org/show_bug.cgi?id=200005 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/xattr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2657,6 +2657,11 @@ static int ext4_xattr_make_inode_space(h + last = IFIRST(header); + /* Find the entry best suited to be pushed into EA block */ + for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ /* never move system.data out of the inode */ ++ if ((last->e_name_len == 4) && ++ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && ++ !memcmp(last->e_name, "data", 4)) ++ continue; + total_size = EXT4_XATTR_LEN(last->e_name_len); + if (!last->e_value_inum) + total_size += EXT4_XATTR_SIZE( diff --git a/debian/patches/bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch b/debian/patches/bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch new file mode 100644 index 000000000..1eba51ee7 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch @@ -0,0 +1,125 @@ +From: Theodore Ts'o +Date: Thu, 14 Jun 2018 00:58:00 -0400 +Subject: ext4: only look at the bg_flags field if it is valid +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=32a82d31527ae9cb568f5d7fa5ad27b2860324ed +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10876 + +The bg_flags field in the block group descripts is only valid if the +uninit_bg or metadata_csum feature is enabled. We were not +consistently looking at this field; fix this. + +Also block group #0 must never have uninitialized allocation bitmaps, +or need to be zeroed, since that's where the root inode, and other +special inodes are set up. Check for these conditions and mark the +file system as corrupted if they are detected. + +This addresses CVE-2018-10876. + +https://bugzilla.kernel.org/show_bug.cgi?id=199403 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/balloc.c | 11 ++++++++++- + fs/ext4/ialloc.c | 14 ++++++++++++-- + fs/ext4/mballoc.c | 6 ++++-- + fs/ext4/super.c | 11 ++++++++++- + 4 files changed, 36 insertions(+), 6 deletions(-) + +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -451,7 +451,16 @@ ext4_read_block_bitmap_nowait(struct sup + goto verify; + } + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Block bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + err = ext4_init_block_bitmap(sb, bh, block_group, desc); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -155,7 +155,16 @@ ext4_read_inode_bitmap(struct super_bloc + } + + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Inode bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), + sb->s_blocksize * 8, bh->b_data); +@@ -1000,7 +1009,8 @@ got: + + /* recheck and clear flag under lock if we still need to */ + ext4_lock_group(sb, group); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, group, gdp)); +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2444,7 +2444,8 @@ int ext4_mb_add_groupinfo(struct super_b + * initialize bb_free to be able to skip + * empty groups without initialization + */ +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + meta_group_info[i]->bb_free = + ext4_free_clusters_after_init(sb, group, desc); + } else { +@@ -3011,7 +3012,8 @@ ext4_mb_mark_diskspace_used(struct ext4_ + #endif + ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start, + ac->ac_b_ex.fe_len); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3098,13 +3098,22 @@ static ext4_group_t ext4_has_uninit_itab + ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count; + struct ext4_group_desc *gdp = NULL; + ++ if (!ext4_has_group_desc_csum(sb)) ++ return ngroups; ++ + for (group = 0; group < ngroups; group++) { + gdp = ext4_get_group_desc(sb, group, NULL); + if (!gdp) + continue; + +- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) ++ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) ++ continue; ++ if (group != 0) + break; ++ ext4_error(sb, "Inode table for bg 0 marked as " ++ "needing zeroing"); ++ if (sb_rdonly(sb)) ++ return ngroups; + } + + return group; diff --git a/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch b/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch new file mode 100644 index 000000000..06220d2f2 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch @@ -0,0 +1,45 @@ +From: Theodore Ts'o +Date: Thu, 14 Jun 2018 12:55:10 -0400 +Subject: ext4: verify the depth of extent tree in ext4_find_extent() +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=0a8173832987f52ab6926dbdf1cd3991ca615000 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10877 + +If there is a corupted file system where the claimed depth of the +extent tree is -1, this can cause a massive buffer overrun leading to +sadness. + +This addresses CVE-2018-10877. + +https://bugzilla.kernel.org/show_bug.cgi?id=199417 + +Signed-off-by: Theodore Ts'o +--- + fs/ext4/ext4_extents.h | 1 + + fs/ext4/extents.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/fs/ext4/ext4_extents.h ++++ b/fs/ext4/ext4_extents.h +@@ -91,6 +91,7 @@ struct ext4_extent_header { + }; + + #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) ++#define EXT4_MAX_EXTENT_DEPTH 5 + + #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ + (sizeof(struct ext4_extent_header) + \ +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ex + + eh = ext_inode_hdr(inode); + depth = ext_depth(inode); ++ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { ++ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", ++ depth); ++ ret = -EFSCORRUPTED; ++ goto err; ++ } + + if (path) { + ext4_ext_drop_refs(path); diff --git a/debian/patches/bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch b/debian/patches/bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch new file mode 100644 index 000000000..2db452039 --- /dev/null +++ b/debian/patches/bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch @@ -0,0 +1,52 @@ +From: Theodore Ts'o +Date: Sat, 16 Jun 2018 20:21:45 -0400 +Subject: jbd2: don't mark block as modified if the handle is out of credits +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=aa18d2cefac6c34885659d12c3fdcffcd6c54e9a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10883 + +Do not set the b_modified flag in block's journal head should not +until after we're sure that jbd2_journal_dirty_metadat() will not +abort with an error due to there not being enough space reserved in +the jbd2 handle. + +Otherwise, future attempts to modify the buffer may lead a large +number of spurious errors and warnings. + +This addresses CVE-2018-10883. + +https://bugzilla.kernel.org/show_bug.cgi?id=200071 + +Signed-off-by: Theodore Ts'o +--- + fs/jbd2/transaction.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1363,6 +1363,13 @@ int jbd2_journal_dirty_metadata(handle_t + if (jh->b_transaction == transaction && + jh->b_jlist != BJ_Metadata) { + jbd_lock_bh_state(bh); ++ if (jh->b_transaction == transaction && ++ jh->b_jlist != BJ_Metadata) ++ pr_err("JBD2: assertion failure: h_type=%u " ++ "h_line_no=%u block_no=%llu jlist=%u\n", ++ handle->h_type, handle->h_line_no, ++ (unsigned long long) bh->b_blocknr, ++ jh->b_jlist); + J_ASSERT_JH(jh, jh->b_transaction != transaction || + jh->b_jlist == BJ_Metadata); + jbd_unlock_bh_state(bh); +@@ -1382,11 +1389,11 @@ int jbd2_journal_dirty_metadata(handle_t + * of the transaction. This needs to be done + * once a transaction -bzzz + */ +- jh->b_modified = 1; + if (handle->h_buffer_credits <= 0) { + ret = -ENOSPC; + goto out_unlock_bh; + } ++ jh->b_modified = 1; + handle->h_buffer_credits--; + } + diff --git a/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch index 033a5a926..15a201f14 100644 --- a/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch +++ b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch @@ -72,3 +72,14 @@ need them. device_initcall(ashmem_init); + +MODULE_LICENSE("GPL v2"); +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -42,7 +42,7 @@ enum { + }; + static uint32_t binder_alloc_debug_mask; + +-module_param_named(debug_mask, binder_alloc_debug_mask, ++module_param_named(alloc_debug_mask, binder_alloc_debug_mask, + uint, 0644); + + #define binder_alloc_debug(mask, x...) \ diff --git a/debian/patches/debian/export-symbols-needed-by-android-drivers.patch b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch new file mode 100644 index 000000000..696df27e8 --- /dev/null +++ b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch @@ -0,0 +1,146 @@ +From: Ben Hutchings +Date: Tue, 26 Jun 2018 16:59:01 +0100 +Subject: Export symbols needed by Android drivers +Bug-Debian: https://bugs.debian.org/901492 + +We want to enable use of the Android ashmem and binder drivers to +support Anbox, but they should not be built-in as that would waste +resources and increase security attack surface on systems that don't +need them. + +Export the currently un-exported symbols they depend on. + +--- +--- a/fs/file.c ++++ b/fs/file.c +@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(st + + return files; + } ++EXPORT_SYMBOL_GPL(get_files_struct); + + void put_files_struct(struct files_struct *files) + { +@@ -421,6 +422,7 @@ void put_files_struct(struct files_struc + kmem_cache_free(files_cachep, files); + } + } ++EXPORT_SYMBOL_GPL(put_files_struct); + + void reset_files_struct(struct files_struct *files) + { +@@ -533,6 +535,7 @@ out: + spin_unlock(&files->file_lock); + return error; + } ++EXPORT_SYMBOL_GPL(__alloc_fd); + + static int alloc_fd(unsigned start, unsigned flags) + { +@@ -606,6 +609,7 @@ void __fd_install(struct files_struct *f + rcu_assign_pointer(fdt->fd[fd], file); + rcu_read_unlock_sched(); + } ++EXPORT_SYMBOL_GPL(__fd_install); + + void fd_install(unsigned int fd, struct file *file) + { +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -999,6 +999,7 @@ void mmput_async(struct mm_struct *mm) + schedule_work(&mm->async_put_work); + } + } ++EXPORT_SYMBOL_GPL(mmput_async); + #endif + + /** +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1280,6 +1280,7 @@ struct sighand_struct *__lock_task_sigha + + return sighand; + } ++EXPORT_SYMBOL_GPL(__lock_task_sighand); + + /* + * send signal info to all the members of a group +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1624,6 +1624,7 @@ void zap_page_range(struct vm_area_struc + mmu_notifier_invalidate_range_end(mm, start, end); + tlb_finish_mmu(&tlb, start, end); + } ++EXPORT_SYMBOL_GPL(zap_page_range); + + /** + * zap_page_range_single - remove user pages in a given range +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -4326,6 +4326,7 @@ int shmem_zero_setup(struct vm_area_stru + + return 0; + } ++EXPORT_SYMBOL_GPL(shmem_zero_setup); + + /** + * shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags. +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1308,6 +1308,7 @@ int map_kernel_range_noflush(unsigned lo + { + return vmap_page_range_noflush(addr, addr + size, prot, pages); + } ++EXPORT_SYMBOL_GPL(map_kernel_range_noflush); + + /** + * unmap_kernel_range_noflush - unmap kernel VM area +@@ -1448,6 +1449,7 @@ struct vm_struct *get_vm_area(unsigned l + NUMA_NO_NODE, GFP_KERNEL, + __builtin_return_address(0)); + } ++EXPORT_SYMBOL_GPL(get_vm_area); + + struct vm_struct *get_vm_area_caller(unsigned long size, unsigned long flags, + const void *caller) +--- a/security/security.c ++++ b/security/security.c +@@ -231,24 +231,28 @@ int security_binder_set_context_mgr(stru + { + return call_int_hook(binder_set_context_mgr, 0, mgr); + } ++EXPORT_SYMBOL_GPL(security_binder_set_context_mgr); + + int security_binder_transaction(struct task_struct *from, + struct task_struct *to) + { + return call_int_hook(binder_transaction, 0, from, to); + } ++EXPORT_SYMBOL_GPL(security_binder_transaction); + + int security_binder_transfer_binder(struct task_struct *from, + struct task_struct *to) + { + return call_int_hook(binder_transfer_binder, 0, from, to); + } ++EXPORT_SYMBOL_GPL(security_binder_transfer_binder); + + int security_binder_transfer_file(struct task_struct *from, + struct task_struct *to, struct file *file) + { + return call_int_hook(binder_transfer_file, 0, from, to, file); + } ++EXPORT_SYMBOL_GPL(security_binder_transfer_file); + + int security_ptrace_access_check(struct task_struct *child, unsigned int mode) + { +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3976,6 +3976,7 @@ int can_nice(const struct task_struct *p + return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || + capable(CAP_SYS_NICE)); + } ++EXPORT_SYMBOL_GPL(can_nice); + + #ifdef __ARCH_WANT_SYS_NICE + diff --git a/debian/patches/series b/debian/patches/series index 317fd97bc..d7593c881 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,6 +11,7 @@ debian/powerpcspe-omit-uimage.patch debian/tools-perf-version.patch debian/tools-perf-install.patch debian/wireless-add-debian-wireless-regdb-certificates.patch +debian/export-symbols-needed-by-android-drivers.patch debian/android-enable-building-ashmem-and-binder-as-modules.patch # Fixes/improvements to firmware loading @@ -125,6 +126,17 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch +bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch +bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch +bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch +bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch +bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch +bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch +bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch +bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch +bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch +bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch diff --git a/debian/rules b/debian/rules index 14cccc2cd..9059d78d2 100755 --- a/debian/rules +++ b/debian/rules @@ -22,7 +22,7 @@ ifneq (,$(filter nodoc,$(DEB_BUILD_PROFILES))) MAKEFLAGS += DO_DOCS=False endif ifneq (,$(filter pkg.linux.notools,$(DEB_BUILD_PROFILES))) - MAKEFLAGS += DO_TOOLS=False + MAKEFLAGS += DO_TOOLS_VERSIONED=False DO_TOOLS_UNVERSIONED=False endif .NOTPARALLEL: diff --git a/debian/rules.d/scripts/mod/Makefile b/debian/rules.d/scripts/mod/Makefile index e57e262aa..35bf77cd2 100644 --- a/debian/rules.d/scripts/mod/Makefile +++ b/debian/rules.d/scripts/mod/Makefile @@ -16,7 +16,7 @@ modpost.real-%: $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ modpost-opts.h: $(top_srcdir)/scripts/mod/modpost.c - python $(wrapperdir)/gendef.py $< > $@ + $(wrapperdir)/gendef.py $< > $@ modpost.o: modpost.c modpost-opts.h $(CC) $(CFLAGS) -I $(CURDIR) -c -o $@ $< diff --git a/debian/rules.d/scripts/mod/gendef.py b/debian/rules.d/scripts/mod/gendef.py index 6e1bdf41b..f923d083b 100755 --- a/debian/rules.d/scripts/mod/gendef.py +++ b/debian/rules.d/scripts/mod/gendef.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 import re import sys @@ -10,11 +10,11 @@ for line in open(sys.argv[1]): else: raise RuntimeError -print '#define GETOPT_OPTIONS "%s"' % options +print('#define GETOPT_OPTIONS "%s"' % options) -print '#define GETOPT_CASE', +print('#define GETOPT_CASE', end=' ') for c in options: if c == ':' or c == 'T': continue - print "case '%c':" % c, -print + print("case '%c':" % c, end=' ') +print() diff --git a/debian/rules.real b/debian/rules.real index 3e3aff3c1..d3e47b7a6 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -7,7 +7,6 @@ # SHELL := bash -e MAINTAINER := $(shell sed -ne 's,^Maintainer: .[^<]*<\([^>]*\)>,\1,p' debian/control) -SOURCE_PACKAGE_NAME := $(shell dpkg-parsechangelog -SSource) DISTRIBUTION := $(shell dpkg-parsechangelog -SDistribution) SOURCE_DATE := $(shell dpkg-parsechangelog -SDate) SOURCE_DATE_UTC_ISO := $(shell date -u -d '$(SOURCE_DATE)' +%Y-%m-%d) @@ -112,19 +111,19 @@ mkdir -p '$(1)' cp -al $(filter-out debian .pc .svk .svn .git, $(wildcard * .[^.]*)) '$(1)' endef -$(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz: DIR = $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION) -$(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz: $(STAMPS_DIR)/source +$(BUILD_DIR)/$(SOURCE_BASENAME)-source-$(UPSTREAMVERSION).tar.xz: DIR = $(BUILD_DIR)/$(SOURCE_BASENAME)-source-$(UPSTREAMVERSION) +$(BUILD_DIR)/$(SOURCE_BASENAME)-source-$(UPSTREAMVERSION).tar.xz: $(STAMPS_DIR)/source rm -rf '$@' '$(DIR)' $(call copy_source,$(DIR)) chmod -R u+rw,go=rX '$(DIR)' find '$(DIR)' -depth -newermt '$(SOURCE_DATE)' -print0 | \ xargs -0r touch --no-dereference --date='$(SOURCE_DATE)' cd '$(BUILD_DIR)'; \ - find '$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION)' \ + find '$(SOURCE_BASENAME)-source-$(UPSTREAMVERSION)' \ -name '*.pyc' -prune -o \ -print0 | \ sort -z | \ - tar --no-recursion --null -T - -caf '$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz' + tar --no-recursion --null -T - -caf '$(SOURCE_BASENAME)-source-$(UPSTREAMVERSION).tar.xz' rm -rf '$(DIR)' $(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-%.patch.xz: $(STAMPS_DIR)/source_none $(STAMPS_DIR)/source_% @@ -238,7 +237,7 @@ install-dummy: dh_prep +$(MAKE_SELF) install-base -install-doc: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-doc-$(VERSION) +install-doc: PACKAGE_NAME = $(SOURCE_BASENAME)-doc-$(VERSION) install-doc: DIR = $(BUILD_DIR)/build-doc install-doc: PACKAGE_DIR = debian/$(PACKAGE_NAME) install-doc: OUT_DIR = $(PACKAGE_DIR)/usr/share/doc/$(PACKAGE_NAME) @@ -273,21 +272,6 @@ ifeq (,$(filter nodoc,$(DEB_BUILD_PROFILES))) endif +$(MAKE_SELF) install-base -install-manual: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-manual-$(VERSION) -install-manual: DIR=$(BUILD_DIR)/build-doc -install-manual: DH_OPTIONS = -p$(PACKAGE_NAME) -install-manual: $(STAMPS_DIR)/build-doc - dh_prep -# Some manual pages are generated multiple times with different -# metadata, and need to be de-duplicated. This matches what the -# upstream installmandocs target does, except that we use -# dh_installman. - set -o pipefail; \ - find $(DIR)/Documentation/DocBook/man/ -name '*.9.gz' -printf '%h %f\n' | \ - sort -k 2 -k 1 | uniq -f 1 | sed -e 's: :/:' | \ - xargs dh_installman - +$(MAKE_SELF) install-base - install-headers_$(ARCH): PACKAGE_NAMES = linux-headers-$(ABINAME)-all linux-headers-$(ABINAME)-all-$(ARCH) install-headers_$(ARCH): DH_OPTIONS = $(foreach p, $(PACKAGE_NAMES), -p$(p)) install-headers_$(ARCH): @@ -400,7 +384,7 @@ install-libc-dev_$(ARCH): +$(MAKE_SELF) install-base -install-support: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-support-$(ABINAME) +install-support: PACKAGE_NAME = $(SOURCE_BASENAME)-support-$(ABINAME) install-support: DH_OPTIONS = -p$(PACKAGE_NAME) install-support: PACKAGE_DIR = debian/$(PACKAGE_NAME) install-support: PACKAGE_ROOT = /usr/share/$(PACKAGE_NAME) @@ -565,9 +549,9 @@ ifeq ($(UDEB_UNSIGNED_TEST_BUILD),False) dh_builddeb endif -install-source: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-source-$(VERSION) +install-source: PACKAGE_NAME = $(SOURCE_BASENAME)-source-$(VERSION) install-source: DH_OPTIONS = -p$(PACKAGE_NAME) -install-source: $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz $(foreach FEATURESET,$(filter-out none,$(ALL_FEATURESETS)),$(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-$(FEATURESET).patch.xz) +install-source: $(BUILD_DIR)/$(SOURCE_BASENAME)-source-$(UPSTREAMVERSION).tar.xz $(foreach FEATURESET,$(filter-out none,$(ALL_FEATURESETS)),$(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-$(FEATURESET).patch.xz) dh_testdir dh_testroot dh_installdirs /usr/src/linux-config-$(UPSTREAMVERSION) diff --git a/debian/templates/control.source.in b/debian/templates/control.source.in index f648bd92c..d3069aae9 100644 --- a/debian/templates/control.source.in +++ b/debian/templates/control.source.in @@ -15,6 +15,8 @@ Build-Depends: xz-utils , # used by debian/rules.real to build linux-perf and linux-support dh-python , +# used by upstream to build genksyms, kconfig, and perf + bison , flex (>= 2.6.1-1.1~) , Build-Depends-Arch: # used by debian/rules.real to build udebs kernel-wedge (>= 2.93~) , @@ -28,10 +30,6 @@ Build-Depends-Arch: # used by upstream to build perf documentation asciidoc-base , xmlto , -# used by upstream to build genksyms, kconfig, and perf - bison , -# - flex needs to run on the host; we have the same problem as for openssl - flex (>= 2.6.1-1.1~) , # used by upstream to build perf gcc-multilib [amd64 ppc64 s390x sparc64] , libaudit-dev ,