xfs: enhance dinode verifier (CVE-2018-10322)
This commit is contained in:
parent
9f2182e09a
commit
f78c3b3434
|
@ -20,6 +20,7 @@ linux (4.16.4-1) UNRELEASED; urgency=medium
|
|||
* debian/lib/python/debian_linux/debian.py: Fix binNMU revision parsing
|
||||
* Revert "ext4: add validity checks for bitmap block numbers", which
|
||||
caused a regression
|
||||
* xfs: enhance dinode verifier (CVE-2018-10322)
|
||||
|
||||
[ Vagrant Cascadian ]
|
||||
* [arm64] Add patches to support SATA on Tegra210/Jetson-TX1.
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
From: Eric Sandeen <sandeen@sandeen.net>
|
||||
Date: Mon, 16 Apr 2018 23:06:53 -0700
|
||||
Subject: xfs: enhance dinode verifier
|
||||
Origin: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit?id=b42db0860e13067fcc7cbfba3966c9e652668bbc
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10322
|
||||
|
||||
Add several more validations to xfs_dinode_verify:
|
||||
|
||||
- For LOCAL data fork formats, di_nextents must be 0.
|
||||
- For LOCAL attr fork formats, di_anextents must be 0.
|
||||
- For inodes with no attr fork offset,
|
||||
- format must be XFS_DINODE_FMT_EXTENTS if set at all
|
||||
- di_anextents must be 0.
|
||||
|
||||
Thanks to dchinner for pointing out a couple related checks I had
|
||||
forgotten to add.
|
||||
|
||||
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199377
|
||||
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
---
|
||||
fs/xfs/libxfs/xfs_inode_buf.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
--- a/fs/xfs/libxfs/xfs_inode_buf.c
|
||||
+++ b/fs/xfs/libxfs/xfs_inode_buf.c
|
||||
@@ -458,6 +458,8 @@ xfs_dinode_verify(
|
||||
return __this_address;
|
||||
if (di_size > XFS_DFORK_DSIZE(dip, mp))
|
||||
return __this_address;
|
||||
+ if (dip->di_nextents)
|
||||
+ return __this_address;
|
||||
/* fall through */
|
||||
case XFS_DINODE_FMT_EXTENTS:
|
||||
case XFS_DINODE_FMT_BTREE:
|
||||
@@ -476,12 +478,31 @@ xfs_dinode_verify(
|
||||
if (XFS_DFORK_Q(dip)) {
|
||||
switch (dip->di_aformat) {
|
||||
case XFS_DINODE_FMT_LOCAL:
|
||||
+ if (dip->di_anextents)
|
||||
+ return __this_address;
|
||||
+ /* fall through */
|
||||
case XFS_DINODE_FMT_EXTENTS:
|
||||
case XFS_DINODE_FMT_BTREE:
|
||||
break;
|
||||
default:
|
||||
return __this_address;
|
||||
}
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * If there is no fork offset, this may be a freshly-made inode
|
||||
+ * in a new disk cluster, in which case di_aformat is zeroed.
|
||||
+ * Otherwise, such an inode must be in EXTENTS format; this goes
|
||||
+ * for freed inodes as well.
|
||||
+ */
|
||||
+ switch (dip->di_aformat) {
|
||||
+ case 0:
|
||||
+ case XFS_DINODE_FMT_EXTENTS:
|
||||
+ break;
|
||||
+ default:
|
||||
+ return __this_address;
|
||||
+ }
|
||||
+ if (dip->di_anextents)
|
||||
+ return __this_address;
|
||||
}
|
||||
|
||||
/* only version 3 or greater inodes are extensively verified here */
|
|
@ -139,6 +139,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/xfs-enhance-dinode-verifier.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue