46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
From: Theodore Ts'o <tytso@mit.edu>
|
|
Date: Wed, 13 Jun 2018 00:51:28 -0400
|
|
Subject: ext4: always verify the magic number in xattr blocks
|
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3345c50533c6a17ebc0284362ca7b69aaef37ac4
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879
|
|
|
|
If there an inode points to a block which is also some other type of
|
|
metadata block (such as a block allocation bitmap), the
|
|
buffer_verified flag can be set when it was validated as that other
|
|
metadata block type; however, it would make a really terrible external
|
|
attribute block. The reason why we use the verified flag is to avoid
|
|
constantly reverifying the block. However, it doesn't take much
|
|
overhead to make sure the magic number of the xattr block is correct,
|
|
and this will avoid potential crashes.
|
|
|
|
This addresses CVE-2018-10879.
|
|
|
|
https://bugzilla.kernel.org/show_bug.cgi?id=200001
|
|
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
|
|
---
|
|
fs/ext4/xattr.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
|
|
index 230ba79715f6..0263692979ec 100644
|
|
--- a/fs/ext4/xattr.c
|
|
+++ b/fs/ext4/xattr.c
|
|
@@ -230,12 +230,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh,
|
|
{
|
|
int error = -EFSCORRUPTED;
|
|
|
|
- if (buffer_verified(bh))
|
|
- return 0;
|
|
-
|
|
if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
|
|
BHDR(bh)->h_blocks != cpu_to_le32(1))
|
|
goto errout;
|
|
+ if (buffer_verified(bh))
|
|
+ return 0;
|
|
+
|
|
error = -EFSBADCRC;
|
|
if (!ext4_xattr_block_csum_verify(inode, bh))
|
|
goto errout;
|