Update to 4.18~rc4
This updates the debian changelog and removes the patches that have been merged upstream. Signed-off-by: Romain Perier <romain.perier@gmail.com>
This commit is contained in:
parent
af34178104
commit
99de07e63b
|
@ -1,4 +1,6 @@
|
|||
linux (4.18~rc3-1~exp2) UNRELEASED; urgency=medium
|
||||
linux (4.18~rc4-1~exp1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream release candidate
|
||||
|
||||
* Remove remaining Python 2 (build-)dependencies:
|
||||
- Build docs using Python 3 version of Sphinx
|
||||
|
|
|
@ -1,84 +0,0 @@
|
|||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Wed, 4 Jul 2018 18:17:51 -0700
|
||||
Subject: autofs: rename 'autofs' module back to 'autofs4'
|
||||
Origin: https://git.kernel.org/linus/d02d21ea007b6b33cdaf15c2f84fb1fea996ecc2
|
||||
Bug-Debian: https://bugs.debian.org/902946
|
||||
|
||||
It turns out that systemd has a bug: it wants to load the autofs module
|
||||
early because of some initialization ordering with udev, and it doesn't
|
||||
do that correctly. Everywhere else it does the proper "look up module
|
||||
name" that does the proper alias resolution, but in that early code, it
|
||||
just uses a hardcoded "autofs4" for the module name.
|
||||
|
||||
The result of that is that as of commit a2225d931f75 ("autofs: remove
|
||||
left-over autofs4 stubs"), you get
|
||||
|
||||
systemd[1]: Failed to insert module 'autofs4': No such file or directory
|
||||
|
||||
in the system logs, and a lack of module loading. All this despite the
|
||||
fact that we had very clearly marked 'autofs4' as an alias for this
|
||||
module.
|
||||
|
||||
What's so ridiculous about this is that literally everything else does
|
||||
the module alias handling correctly, including really old versions of
|
||||
systemd (that just used 'modprobe' to do this), and even all the other
|
||||
systemd module loading code.
|
||||
|
||||
Only that special systemd early module load code is broken, hardcoding
|
||||
the module names for not just 'autofs4', but also "ipv6", "unix",
|
||||
"ip_tables" and "virtio_rng". Very annoying.
|
||||
|
||||
Instead of creating an _additional_ separate compatibility 'autofs4'
|
||||
module, just rely on the fact that everybody else gets this right, and
|
||||
just call the module 'autofs4' for compatibility reasons, with 'autofs'
|
||||
as the alias name.
|
||||
|
||||
That will allow the systemd people to fix their bugs, adding the proper
|
||||
alias handling, and maybe even fix the name of the module to be just
|
||||
"autofs" (so that they can _test_ the alias handling). And eventually,
|
||||
we can revert this silly compatibility hack.
|
||||
|
||||
See also
|
||||
|
||||
https://github.com/systemd/systemd/issues/9501
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902946
|
||||
|
||||
for the systemd bug reports upstream and in the Debian bug tracker
|
||||
respectively.
|
||||
|
||||
Fixes: a2225d931f75 ("autofs: remove left-over autofs4 stubs")
|
||||
Reported-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
Reported-by: Michael Biebl <biebl@debian.org>
|
||||
Cc: Ian Kent <raven@themaw.net>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/autofs/Makefile | 4 ++--
|
||||
fs/autofs/init.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/autofs/Makefile b/fs/autofs/Makefile
|
||||
index 43fedde15c26..1f85d35ec8b7 100644
|
||||
--- a/fs/autofs/Makefile
|
||||
+++ b/fs/autofs/Makefile
|
||||
@@ -2,6 +2,6 @@
|
||||
# Makefile for the linux autofs-filesystem routines.
|
||||
#
|
||||
|
||||
-obj-$(CONFIG_AUTOFS_FS) += autofs.o
|
||||
+obj-$(CONFIG_AUTOFS_FS) += autofs4.o
|
||||
|
||||
-autofs-objs := init.o inode.o root.o symlink.o waitq.o expire.o dev-ioctl.o
|
||||
+autofs4-objs := init.o inode.o root.o symlink.o waitq.o expire.o dev-ioctl.o
|
||||
diff --git a/fs/autofs/init.c b/fs/autofs/init.c
|
||||
index cc9447e1903f..79ae07d9592f 100644
|
||||
--- a/fs/autofs/init.c
|
||||
+++ b/fs/autofs/init.c
|
||||
@@ -23,7 +23,7 @@ static struct file_system_type autofs_fs_type = {
|
||||
.kill_sb = autofs_kill_sb,
|
||||
};
|
||||
MODULE_ALIAS_FS("autofs");
|
||||
-MODULE_ALIAS("autofs4");
|
||||
+MODULE_ALIAS("autofs");
|
||||
|
||||
static int __init init_autofs_fs(void)
|
||||
{
|
|
@ -1,48 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Wed, 13 Jun 2018 00:23:11 -0400
|
||||
Subject: ext4: add corruption check in ext4_xattr_set_entry()
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=4fda60bbdbb61de76e3d3c48ed77c9e9b96b00d1
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879
|
||||
|
||||
In theory this should have been caught earlier when the xattr list was
|
||||
verified, but in case it got missed, it's simple enough to add check
|
||||
to make sure we don't overrun the xattr buffer.
|
||||
|
||||
This addresses CVE-2018-10879.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200001
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
|
||||
---
|
||||
fs/ext4/xattr.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
|
||||
index fc4ced59c565..230ba79715f6 100644
|
||||
--- a/fs/ext4/xattr.c
|
||||
+++ b/fs/ext4/xattr.c
|
||||
@@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
|
||||
handle_t *handle, struct inode *inode,
|
||||
bool is_block)
|
||||
{
|
||||
- struct ext4_xattr_entry *last;
|
||||
+ struct ext4_xattr_entry *last, *next;
|
||||
struct ext4_xattr_entry *here = s->here;
|
||||
size_t min_offs = s->end - s->base, name_len = strlen(i->name);
|
||||
int in_inode = i->in_inode;
|
||||
@@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
|
||||
|
||||
/* Compute min_offs and last. */
|
||||
last = s->first;
|
||||
- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
|
||||
+ for (; !IS_LAST_ENTRY(last); last = next) {
|
||||
+ next = EXT4_XATTR_NEXT(last);
|
||||
+ if ((void *)next >= s->end) {
|
||||
+ EXT4_ERROR_INODE(inode, "corrupted xattr entries");
|
||||
+ ret = -EFSCORRUPTED;
|
||||
+ goto out;
|
||||
+ }
|
||||
if (!last->e_value_inum && last->e_value_size) {
|
||||
size_t offs = le16_to_cpu(last->e_value_offs);
|
||||
if (offs < min_offs)
|
|
@ -1,63 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Sun, 17 Jun 2018 00:41:14 -0400
|
||||
Subject: ext4: add more inode number paranoia checks
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=a0b4bd6c4418a8d2ba51f27968f5af005e5dbbdd
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10882
|
||||
|
||||
If there is a directory entry pointing to a system inode (such as a
|
||||
journal inode), complain and declare the file system to be corrupted.
|
||||
|
||||
Also, if the superblock's first inode number field is too small,
|
||||
refuse to mount the file system.
|
||||
|
||||
This addresses CVE-2018-10882.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200069
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/ext4.h | 5 -----
|
||||
fs/ext4/inode.c | 3 ++-
|
||||
fs/ext4/super.c | 5 +++++
|
||||
3 files changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/fs/ext4/ext4.h
|
||||
+++ b/fs/ext4/ext4.h
|
||||
@@ -1501,11 +1501,6 @@ static inline struct ext4_inode_info *EX
|
||||
static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino)
|
||||
{
|
||||
return ino == EXT4_ROOT_INO ||
|
||||
- ino == EXT4_USR_QUOTA_INO ||
|
||||
- ino == EXT4_GRP_QUOTA_INO ||
|
||||
- ino == EXT4_BOOT_LOADER_INO ||
|
||||
- ino == EXT4_JOURNAL_INO ||
|
||||
- ino == EXT4_RESIZE_INO ||
|
||||
(ino >= EXT4_FIRST_INO(sb) &&
|
||||
ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count));
|
||||
}
|
||||
--- a/fs/ext4/inode.c
|
||||
+++ b/fs/ext4/inode.c
|
||||
@@ -4506,7 +4506,8 @@ static int __ext4_get_inode_loc(struct i
|
||||
int inodes_per_block, inode_offset;
|
||||
|
||||
iloc->bh = NULL;
|
||||
- if (!ext4_valid_inum(sb, inode->i_ino))
|
||||
+ if (inode->i_ino < EXT4_ROOT_INO ||
|
||||
+ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
|
||||
return -EFSCORRUPTED;
|
||||
|
||||
iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
|
||||
--- a/fs/ext4/super.c
|
||||
+++ b/fs/ext4/super.c
|
||||
@@ -3817,6 +3817,11 @@ static int ext4_fill_super(struct super_
|
||||
} else {
|
||||
sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
|
||||
sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
|
||||
+ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
|
||||
+ ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
|
||||
+ sbi->s_first_ino);
|
||||
+ goto failed_mount;
|
||||
+ }
|
||||
if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
|
||||
(!is_power_of_2(sbi->s_inode_size)) ||
|
||||
(sbi->s_inode_size > blocksize)) {
|
|
@ -1,53 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Wed, 13 Jun 2018 23:00:48 -0400
|
||||
Subject: ext4: always check block group bounds in ext4_init_block_bitmap()
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=dcf37fefac3f699aa1341f86bcd7808ccc651c33
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10878
|
||||
|
||||
Regardless of whether the flex_bg feature is set, we should always
|
||||
check to make sure the bits we are setting in the block bitmap are
|
||||
within the block group bounds.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=199865
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/balloc.c | 10 +++-------
|
||||
1 file changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/fs/ext4/balloc.c
|
||||
+++ b/fs/ext4/balloc.c
|
||||
@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct
|
||||
unsigned int bit, bit_max;
|
||||
struct ext4_sb_info *sbi = EXT4_SB(sb);
|
||||
ext4_fsblk_t start, tmp;
|
||||
- int flex_bg = 0;
|
||||
|
||||
J_ASSERT_BH(bh, buffer_locked(bh));
|
||||
|
||||
@@ -207,22 +206,19 @@ static int ext4_init_block_bitmap(struct
|
||||
|
||||
start = ext4_group_first_block_no(sb, block_group);
|
||||
|
||||
- if (ext4_has_feature_flex_bg(sb))
|
||||
- flex_bg = 1;
|
||||
-
|
||||
/* Set bits for block and inode bitmaps, and inode table */
|
||||
tmp = ext4_block_bitmap(sb, gdp);
|
||||
- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
|
||||
+ if (ext4_block_in_group(sb, tmp, block_group))
|
||||
ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
|
||||
|
||||
tmp = ext4_inode_bitmap(sb, gdp);
|
||||
- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
|
||||
+ if (ext4_block_in_group(sb, tmp, block_group))
|
||||
ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
|
||||
|
||||
tmp = ext4_inode_table(sb, gdp);
|
||||
for (; tmp < ext4_inode_table(sb, gdp) +
|
||||
sbi->s_itb_per_group; tmp++) {
|
||||
- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
|
||||
+ if (ext4_block_in_group(sb, tmp, block_group))
|
||||
ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
|
||||
}
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Wed, 13 Jun 2018 00:51:28 -0400
|
||||
Subject: ext4: always verify the magic number in xattr blocks
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3345c50533c6a17ebc0284362ca7b69aaef37ac4
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879
|
||||
|
||||
If there an inode points to a block which is also some other type of
|
||||
metadata block (such as a block allocation bitmap), the
|
||||
buffer_verified flag can be set when it was validated as that other
|
||||
metadata block type; however, it would make a really terrible external
|
||||
attribute block. The reason why we use the verified flag is to avoid
|
||||
constantly reverifying the block. However, it doesn't take much
|
||||
overhead to make sure the magic number of the xattr block is correct,
|
||||
and this will avoid potential crashes.
|
||||
|
||||
This addresses CVE-2018-10879.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200001
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
|
||||
---
|
||||
fs/ext4/xattr.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
|
||||
index 230ba79715f6..0263692979ec 100644
|
||||
--- a/fs/ext4/xattr.c
|
||||
+++ b/fs/ext4/xattr.c
|
||||
@@ -230,12 +230,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh,
|
||||
{
|
||||
int error = -EFSCORRUPTED;
|
||||
|
||||
- if (buffer_verified(bh))
|
||||
- return 0;
|
||||
-
|
||||
if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
|
||||
BHDR(bh)->h_blocks != cpu_to_le32(1))
|
||||
goto errout;
|
||||
+ if (buffer_verified(bh))
|
||||
+ return 0;
|
||||
+
|
||||
error = -EFSBADCRC;
|
||||
if (!ext4_xattr_block_csum_verify(inode, bh))
|
||||
goto errout;
|
|
@ -1,120 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Sat, 16 Jun 2018 23:41:59 -0400
|
||||
Subject: ext4: avoid running out of journal credits when appending to an
|
||||
inline file
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3886651521995071fab29401094e675b6ebfdc8c
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10883
|
||||
|
||||
Use a separate journal transaction if it turns out that we need to
|
||||
convert an inline file to use an data block. Otherwise we could end
|
||||
up failing due to not having journal credits.
|
||||
|
||||
This addresses CVE-2018-10883.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200071
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/ext4.h | 3 ---
|
||||
fs/ext4/inline.c | 38 +-------------------------------------
|
||||
fs/ext4/xattr.c | 19 ++-----------------
|
||||
3 files changed, 3 insertions(+), 57 deletions(-)
|
||||
|
||||
--- a/fs/ext4/ext4.h
|
||||
+++ b/fs/ext4/ext4.h
|
||||
@@ -3005,9 +3005,6 @@ extern int ext4_inline_data_fiemap(struc
|
||||
struct iomap;
|
||||
extern int ext4_inline_data_iomap(struct inode *inode, struct iomap *iomap);
|
||||
|
||||
-extern int ext4_try_to_evict_inline_data(handle_t *handle,
|
||||
- struct inode *inode,
|
||||
- int needed);
|
||||
extern int ext4_inline_data_truncate(struct inode *inode, int *has_inline);
|
||||
|
||||
extern int ext4_convert_inline_data(struct inode *inode);
|
||||
--- a/fs/ext4/inline.c
|
||||
+++ b/fs/ext4/inline.c
|
||||
@@ -887,11 +887,11 @@ retry_journal:
|
||||
flags |= AOP_FLAG_NOFS;
|
||||
|
||||
if (ret == -ENOSPC) {
|
||||
+ ext4_journal_stop(handle);
|
||||
ret = ext4_da_convert_inline_data_to_extent(mapping,
|
||||
inode,
|
||||
flags,
|
||||
fsdata);
|
||||
- ext4_journal_stop(handle);
|
||||
if (ret == -ENOSPC &&
|
||||
ext4_should_retry_alloc(inode->i_sb, &retries))
|
||||
goto retry_journal;
|
||||
@@ -1891,42 +1891,6 @@ out:
|
||||
return (error < 0 ? error : 0);
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Called during xattr set, and if we can sparse space 'needed',
|
||||
- * just create the extent tree evict the data to the outer block.
|
||||
- *
|
||||
- * We use jbd2 instead of page cache to move data to the 1st block
|
||||
- * so that the whole transaction can be committed as a whole and
|
||||
- * the data isn't lost because of the delayed page cache write.
|
||||
- */
|
||||
-int ext4_try_to_evict_inline_data(handle_t *handle,
|
||||
- struct inode *inode,
|
||||
- int needed)
|
||||
-{
|
||||
- int error;
|
||||
- struct ext4_xattr_entry *entry;
|
||||
- struct ext4_inode *raw_inode;
|
||||
- struct ext4_iloc iloc;
|
||||
-
|
||||
- error = ext4_get_inode_loc(inode, &iloc);
|
||||
- if (error)
|
||||
- return error;
|
||||
-
|
||||
- raw_inode = ext4_raw_inode(&iloc);
|
||||
- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
|
||||
- EXT4_I(inode)->i_inline_off);
|
||||
- if (EXT4_XATTR_LEN(entry->e_name_len) +
|
||||
- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
|
||||
- error = -ENOSPC;
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
|
||||
-out:
|
||||
- brelse(iloc.bh);
|
||||
- return error;
|
||||
-}
|
||||
-
|
||||
int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
|
||||
{
|
||||
handle_t *handle;
|
||||
--- a/fs/ext4/xattr.c
|
||||
+++ b/fs/ext4/xattr.c
|
||||
@@ -2212,23 +2212,8 @@ int ext4_xattr_ibody_inline_set(handle_t
|
||||
if (EXT4_I(inode)->i_extra_isize == 0)
|
||||
return -ENOSPC;
|
||||
error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */);
|
||||
- if (error) {
|
||||
- if (error == -ENOSPC &&
|
||||
- ext4_has_inline_data(inode)) {
|
||||
- error = ext4_try_to_evict_inline_data(handle, inode,
|
||||
- EXT4_XATTR_LEN(strlen(i->name) +
|
||||
- EXT4_XATTR_SIZE(i->value_len)));
|
||||
- if (error)
|
||||
- return error;
|
||||
- error = ext4_xattr_ibody_find(inode, i, is);
|
||||
- if (error)
|
||||
- return error;
|
||||
- error = ext4_xattr_set_entry(i, s, handle, inode,
|
||||
- false /* is_block */);
|
||||
- }
|
||||
- if (error)
|
||||
- return error;
|
||||
- }
|
||||
+ if (error)
|
||||
+ return error;
|
||||
header = IHDR(inode, ext4_raw_inode(&is->iloc));
|
||||
if (!IS_LAST_ENTRY(s->first)) {
|
||||
header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);
|
|
@ -1,42 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Fri, 15 Jun 2018 12:28:16 -0400
|
||||
Subject: ext4: clear i_data in ext4_inode_info when removing inline data
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=cd75e020ee28aa21985c6d8ebafc7457b4c51531
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10881
|
||||
|
||||
When converting from an inode from storing the data in-line to a data
|
||||
block, ext4_destroy_inline_data_nolock() was only clearing the on-disk
|
||||
copy of the i_blocks[] array. It was not clearing copy of the
|
||||
i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually
|
||||
used by ext4_map_blocks().
|
||||
|
||||
This didn't matter much if we are using extents, since the extents
|
||||
header would be invalid and thus the extents could would re-initialize
|
||||
the extents tree. But if we are using indirect blocks, the previous
|
||||
contents of the i_blocks array will be treated as block numbers, with
|
||||
potentially catastrophic results to the file system integrity and/or
|
||||
user data.
|
||||
|
||||
This gets worse if the file system is using a 1k block size and
|
||||
s_first_data is zero, but even without this, the file system can get
|
||||
quite badly corrupted.
|
||||
|
||||
This addresses CVE-2018-10881.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200015
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/inline.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/fs/ext4/inline.c
|
||||
+++ b/fs/ext4/inline.c
|
||||
@@ -437,6 +437,7 @@ static int ext4_destroy_inline_data_nolo
|
||||
|
||||
memset((void *)ext4_raw_inode(&is.iloc)->i_block,
|
||||
0, EXT4_MIN_INLINE_DATA_SIZE);
|
||||
+ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE);
|
||||
|
||||
if (ext4_has_feature_extents(inode->i_sb)) {
|
||||
if (S_ISDIR(inode->i_mode) ||
|
|
@ -1,74 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Wed, 13 Jun 2018 23:08:26 -0400
|
||||
Subject: ext4: make sure bitmaps and the inode table don't overlap with bg
|
||||
descriptors
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=6b506a7d09854128b1da9571d879ee9dea3ffb02
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10878
|
||||
|
||||
It's really bad when the allocation bitmaps and the inode table
|
||||
overlap with the block group descriptors, since it causes random
|
||||
corruption of the bg descriptors. So we really want to head those off
|
||||
at the pass.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=199865
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/super.c | 25 +++++++++++++++++++++++++
|
||||
1 file changed, 25 insertions(+)
|
||||
|
||||
--- a/fs/ext4/super.c
|
||||
+++ b/fs/ext4/super.c
|
||||
@@ -2307,6 +2307,7 @@ static int ext4_check_descriptors(struct
|
||||
struct ext4_sb_info *sbi = EXT4_SB(sb);
|
||||
ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block);
|
||||
ext4_fsblk_t last_block;
|
||||
+ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1;
|
||||
ext4_fsblk_t block_bitmap;
|
||||
ext4_fsblk_t inode_bitmap;
|
||||
ext4_fsblk_t inode_table;
|
||||
@@ -2339,6 +2340,14 @@ static int ext4_check_descriptors(struct
|
||||
if (!sb_rdonly(sb))
|
||||
return 0;
|
||||
}
|
||||
+ if (block_bitmap >= sb_block + 1 &&
|
||||
+ block_bitmap <= last_bg_block) {
|
||||
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
|
||||
+ "Block bitmap for group %u overlaps "
|
||||
+ "block group descriptors", i);
|
||||
+ if (!sb_rdonly(sb))
|
||||
+ return 0;
|
||||
+ }
|
||||
if (block_bitmap < first_block || block_bitmap > last_block) {
|
||||
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
|
||||
"Block bitmap for group %u not in group "
|
||||
@@ -2353,6 +2362,14 @@ static int ext4_check_descriptors(struct
|
||||
if (!sb_rdonly(sb))
|
||||
return 0;
|
||||
}
|
||||
+ if (inode_bitmap >= sb_block + 1 &&
|
||||
+ inode_bitmap <= last_bg_block) {
|
||||
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
|
||||
+ "Inode bitmap for group %u overlaps "
|
||||
+ "block group descriptors", i);
|
||||
+ if (!sb_rdonly(sb))
|
||||
+ return 0;
|
||||
+ }
|
||||
if (inode_bitmap < first_block || inode_bitmap > last_block) {
|
||||
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
|
||||
"Inode bitmap for group %u not in group "
|
||||
@@ -2367,6 +2384,14 @@ static int ext4_check_descriptors(struct
|
||||
if (!sb_rdonly(sb))
|
||||
return 0;
|
||||
}
|
||||
+ if (inode_table >= sb_block + 1 &&
|
||||
+ inode_table <= last_bg_block) {
|
||||
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
|
||||
+ "Inode table for group %u overlaps "
|
||||
+ "block group descriptors", i);
|
||||
+ if (!sb_rdonly(sb))
|
||||
+ return 0;
|
||||
+ }
|
||||
if (inode_table < first_block ||
|
||||
inode_table + sbi->s_itb_per_group - 1 > last_block) {
|
||||
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
|
|
@ -1,34 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Sat, 16 Jun 2018 15:40:48 -0400
|
||||
Subject: ext4: never move the system.data xattr out of the inode body
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=896003d9fd652666080a06411d4238ee6eb4fb76
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10880
|
||||
|
||||
When expanding the extra isize space, we must never move the
|
||||
system.data xattr out of the inode body. For performance reasons, it
|
||||
doesn't make any sense, and the inline data implementation assumes
|
||||
that system.data xattr is never in the external xattr block.
|
||||
|
||||
This addresses CVE-2018-10880
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200005
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/xattr.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- a/fs/ext4/xattr.c
|
||||
+++ b/fs/ext4/xattr.c
|
||||
@@ -2657,6 +2657,11 @@ static int ext4_xattr_make_inode_space(h
|
||||
last = IFIRST(header);
|
||||
/* Find the entry best suited to be pushed into EA block */
|
||||
for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
|
||||
+ /* never move system.data out of the inode */
|
||||
+ if ((last->e_name_len == 4) &&
|
||||
+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
|
||||
+ !memcmp(last->e_name, "data", 4))
|
||||
+ continue;
|
||||
total_size = EXT4_XATTR_LEN(last->e_name_len);
|
||||
if (!last->e_value_inum)
|
||||
total_size += EXT4_XATTR_SIZE(
|
|
@ -1,125 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Thu, 14 Jun 2018 00:58:00 -0400
|
||||
Subject: ext4: only look at the bg_flags field if it is valid
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=32a82d31527ae9cb568f5d7fa5ad27b2860324ed
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10876
|
||||
|
||||
The bg_flags field in the block group descripts is only valid if the
|
||||
uninit_bg or metadata_csum feature is enabled. We were not
|
||||
consistently looking at this field; fix this.
|
||||
|
||||
Also block group #0 must never have uninitialized allocation bitmaps,
|
||||
or need to be zeroed, since that's where the root inode, and other
|
||||
special inodes are set up. Check for these conditions and mark the
|
||||
file system as corrupted if they are detected.
|
||||
|
||||
This addresses CVE-2018-10876.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=199403
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/balloc.c | 11 ++++++++++-
|
||||
fs/ext4/ialloc.c | 14 ++++++++++++--
|
||||
fs/ext4/mballoc.c | 6 ++++--
|
||||
fs/ext4/super.c | 11 ++++++++++-
|
||||
4 files changed, 36 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/fs/ext4/balloc.c
|
||||
+++ b/fs/ext4/balloc.c
|
||||
@@ -451,7 +451,16 @@ ext4_read_block_bitmap_nowait(struct sup
|
||||
goto verify;
|
||||
}
|
||||
ext4_lock_group(sb, block_group);
|
||||
- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
|
||||
+ if (ext4_has_group_desc_csum(sb) &&
|
||||
+ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
|
||||
+ if (block_group == 0) {
|
||||
+ ext4_unlock_group(sb, block_group);
|
||||
+ unlock_buffer(bh);
|
||||
+ ext4_error(sb, "Block bitmap for bg 0 marked "
|
||||
+ "uninitialized");
|
||||
+ err = -EFSCORRUPTED;
|
||||
+ goto out;
|
||||
+ }
|
||||
err = ext4_init_block_bitmap(sb, bh, block_group, desc);
|
||||
set_bitmap_uptodate(bh);
|
||||
set_buffer_uptodate(bh);
|
||||
--- a/fs/ext4/ialloc.c
|
||||
+++ b/fs/ext4/ialloc.c
|
||||
@@ -155,7 +155,16 @@ ext4_read_inode_bitmap(struct super_bloc
|
||||
}
|
||||
|
||||
ext4_lock_group(sb, block_group);
|
||||
- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) {
|
||||
+ if (ext4_has_group_desc_csum(sb) &&
|
||||
+ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) {
|
||||
+ if (block_group == 0) {
|
||||
+ ext4_unlock_group(sb, block_group);
|
||||
+ unlock_buffer(bh);
|
||||
+ ext4_error(sb, "Inode bitmap for bg 0 marked "
|
||||
+ "uninitialized");
|
||||
+ err = -EFSCORRUPTED;
|
||||
+ goto out;
|
||||
+ }
|
||||
memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
|
||||
ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
|
||||
sb->s_blocksize * 8, bh->b_data);
|
||||
@@ -1000,7 +1009,8 @@ got:
|
||||
|
||||
/* recheck and clear flag under lock if we still need to */
|
||||
ext4_lock_group(sb, group);
|
||||
- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
|
||||
+ if (ext4_has_group_desc_csum(sb) &&
|
||||
+ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
|
||||
gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT);
|
||||
ext4_free_group_clusters_set(sb, gdp,
|
||||
ext4_free_clusters_after_init(sb, group, gdp));
|
||||
--- a/fs/ext4/mballoc.c
|
||||
+++ b/fs/ext4/mballoc.c
|
||||
@@ -2444,7 +2444,8 @@ int ext4_mb_add_groupinfo(struct super_b
|
||||
* initialize bb_free to be able to skip
|
||||
* empty groups without initialization
|
||||
*/
|
||||
- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
|
||||
+ if (ext4_has_group_desc_csum(sb) &&
|
||||
+ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
|
||||
meta_group_info[i]->bb_free =
|
||||
ext4_free_clusters_after_init(sb, group, desc);
|
||||
} else {
|
||||
@@ -3011,7 +3012,8 @@ ext4_mb_mark_diskspace_used(struct ext4_
|
||||
#endif
|
||||
ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start,
|
||||
ac->ac_b_ex.fe_len);
|
||||
- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
|
||||
+ if (ext4_has_group_desc_csum(sb) &&
|
||||
+ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
|
||||
gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT);
|
||||
ext4_free_group_clusters_set(sb, gdp,
|
||||
ext4_free_clusters_after_init(sb,
|
||||
--- a/fs/ext4/super.c
|
||||
+++ b/fs/ext4/super.c
|
||||
@@ -3098,13 +3098,22 @@ static ext4_group_t ext4_has_uninit_itab
|
||||
ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count;
|
||||
struct ext4_group_desc *gdp = NULL;
|
||||
|
||||
+ if (!ext4_has_group_desc_csum(sb))
|
||||
+ return ngroups;
|
||||
+
|
||||
for (group = 0; group < ngroups; group++) {
|
||||
gdp = ext4_get_group_desc(sb, group, NULL);
|
||||
if (!gdp)
|
||||
continue;
|
||||
|
||||
- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)))
|
||||
+ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))
|
||||
+ continue;
|
||||
+ if (group != 0)
|
||||
break;
|
||||
+ ext4_error(sb, "Inode table for bg 0 marked as "
|
||||
+ "needing zeroing");
|
||||
+ if (sb_rdonly(sb))
|
||||
+ return ngroups;
|
||||
}
|
||||
|
||||
return group;
|
|
@ -1,45 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Thu, 14 Jun 2018 12:55:10 -0400
|
||||
Subject: ext4: verify the depth of extent tree in ext4_find_extent()
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=0a8173832987f52ab6926dbdf1cd3991ca615000
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10877
|
||||
|
||||
If there is a corupted file system where the claimed depth of the
|
||||
extent tree is -1, this can cause a massive buffer overrun leading to
|
||||
sadness.
|
||||
|
||||
This addresses CVE-2018-10877.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=199417
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/ext4_extents.h | 1 +
|
||||
fs/ext4/extents.c | 6 ++++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
--- a/fs/ext4/ext4_extents.h
|
||||
+++ b/fs/ext4/ext4_extents.h
|
||||
@@ -91,6 +91,7 @@ struct ext4_extent_header {
|
||||
};
|
||||
|
||||
#define EXT4_EXT_MAGIC cpu_to_le16(0xf30a)
|
||||
+#define EXT4_MAX_EXTENT_DEPTH 5
|
||||
|
||||
#define EXT4_EXTENT_TAIL_OFFSET(hdr) \
|
||||
(sizeof(struct ext4_extent_header) + \
|
||||
--- a/fs/ext4/extents.c
|
||||
+++ b/fs/ext4/extents.c
|
||||
@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ex
|
||||
|
||||
eh = ext_inode_hdr(inode);
|
||||
depth = ext_depth(inode);
|
||||
+ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
|
||||
+ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
|
||||
+ depth);
|
||||
+ ret = -EFSCORRUPTED;
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
if (path) {
|
||||
ext4_ext_drop_refs(path);
|
|
@ -1,52 +0,0 @@
|
|||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Sat, 16 Jun 2018 20:21:45 -0400
|
||||
Subject: jbd2: don't mark block as modified if the handle is out of credits
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=aa18d2cefac6c34885659d12c3fdcffcd6c54e9a
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10883
|
||||
|
||||
Do not set the b_modified flag in block's journal head should not
|
||||
until after we're sure that jbd2_journal_dirty_metadat() will not
|
||||
abort with an error due to there not being enough space reserved in
|
||||
the jbd2 handle.
|
||||
|
||||
Otherwise, future attempts to modify the buffer may lead a large
|
||||
number of spurious errors and warnings.
|
||||
|
||||
This addresses CVE-2018-10883.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200071
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/jbd2/transaction.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/fs/jbd2/transaction.c
|
||||
+++ b/fs/jbd2/transaction.c
|
||||
@@ -1363,6 +1363,13 @@ int jbd2_journal_dirty_metadata(handle_t
|
||||
if (jh->b_transaction == transaction &&
|
||||
jh->b_jlist != BJ_Metadata) {
|
||||
jbd_lock_bh_state(bh);
|
||||
+ if (jh->b_transaction == transaction &&
|
||||
+ jh->b_jlist != BJ_Metadata)
|
||||
+ pr_err("JBD2: assertion failure: h_type=%u "
|
||||
+ "h_line_no=%u block_no=%llu jlist=%u\n",
|
||||
+ handle->h_type, handle->h_line_no,
|
||||
+ (unsigned long long) bh->b_blocknr,
|
||||
+ jh->b_jlist);
|
||||
J_ASSERT_JH(jh, jh->b_transaction != transaction ||
|
||||
jh->b_jlist == BJ_Metadata);
|
||||
jbd_unlock_bh_state(bh);
|
||||
@@ -1382,11 +1389,11 @@ int jbd2_journal_dirty_metadata(handle_t
|
||||
* of the transaction. This needs to be done
|
||||
* once a transaction -bzzz
|
||||
*/
|
||||
- jh->b_modified = 1;
|
||||
if (handle->h_buffer_credits <= 0) {
|
||||
ret = -ENOSPC;
|
||||
goto out_unlock_bh;
|
||||
}
|
||||
+ jh->b_modified = 1;
|
||||
handle->h_buffer_credits--;
|
||||
}
|
||||
|
|
@ -87,7 +87,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
|||
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
||||
bugfix/all/i40e-build-for-64-bit-targets-only.patch
|
||||
bugfix/all/netfilter-ipvs-Fix-invalid-bytes-in-IP_VS_MH_TAB_IND.patch
|
||||
bugfix/all/autofs-rename-autofs-module-back-to-autofs4.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
||||
|
@ -127,17 +126,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
|
||||
bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
|
||||
bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
|
||||
bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch
|
||||
bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch
|
||||
bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
|
||||
bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch
|
||||
bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
|
||||
bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch
|
||||
bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch
|
||||
bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue