[SRU][PATCH 0/1] Fix for CVE-2018-10323

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][PATCH 0/1] Fix for CVE-2018-10323

Khaled Elmously
Clean cherry-pick for X/A/B. Seems like a straightforward backport for T

Eric Sandeen (1):
  xfs: set format back to extents if xfs_bmap_extents_to_btree

 fs/xfs/xfs_bmap.c | 2 ++
 1 file changed, 2 insertions(+)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][X/A/B][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Khaled Elmously
From: Eric Sandeen <[hidden email]>

CVE-2018-10323

If xfs_bmap_extents_to_btree fails in a mode where we call
xfs_iroot_realloc(-1) to de-allocate the root, set the
format back to extents.

Otherwise we can assume we can dereference ifp->if_broot
based on the XFS_DINODE_FMT_BTREE format, and crash.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
Signed-off-by: Eric Sandeen <[hidden email]>
Reviewed-by: Christoph Hellwig <[hidden email]>
Reviewed-by: Darrick J. Wong <[hidden email]>
Signed-off-by: Darrick J. Wong <[hidden email]>
(cherry-picked from 2c4306f719b083d17df2963bc761777576b8ad1b)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 fs/xfs/libxfs/xfs_bmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
index 1bddbba6b80c..c756db755a5a 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
  *logflagsp = 0;
  if ((error = xfs_alloc_vextent(&args))) {
  xfs_iroot_realloc(ip, -1, whichfork);
+ ASSERT(ifp->if_broot == NULL);
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
  xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
  return error;
  }
 
  if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
  xfs_iroot_realloc(ip, -1, whichfork);
+ ASSERT(ifp->if_broot == NULL);
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
  xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
  return -ENOSPC;
  }
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][T][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Khaled Elmously
In reply to this post by Khaled Elmously
From: Eric Sandeen <[hidden email]>

CVE-2018-10323

If xfs_bmap_extents_to_btree fails in a mode where we call
xfs_iroot_realloc(-1) to de-allocate the root, set the
format back to extents.

Otherwise we can assume we can dereference ifp->if_broot
based on the XFS_DINODE_FMT_BTREE format, and crash.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
Signed-off-by: Eric Sandeen <[hidden email]>
Reviewed-by: Christoph Hellwig <[hidden email]>
Reviewed-by: Darrick J. Wong <[hidden email]>
Signed-off-by: Darrick J. Wong <[hidden email]>
(backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 fs/xfs/xfs_bmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
index 6beb7a93a0e9..41013924bdcd 100644
--- a/fs/xfs/xfs_bmap.c
+++ b/fs/xfs/xfs_bmap.c
@@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
  *logflagsp = 0;
  if ((error = xfs_alloc_vextent(&args))) {
  xfs_iroot_realloc(ip, -1, whichfork);
+ ASSERT(ifp->if_broot == NULL);
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
  xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
  return error;
  }
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][PATCH 0/1] Fix for CVE-2018-10323

Stefan Bader-2
In reply to this post by Khaled Elmously
On 06.07.2018 07:33, Khalid Elmously wrote:
> Clean cherry-pick for X/A/B. Seems like a straightforward backport for T
>
> Eric Sandeen (1):
>   xfs: set format back to extents if xfs_bmap_extents_to_btree
>
>  fs/xfs/xfs_bmap.c | 2 ++
>  1 file changed, 2 insertions(+)
>
Acked-by: Stefan Bader <[hidden email]>

Looks like trusty indeed has only one failure case like described.


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK[T]: [SRU][T][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Kleber Souza
In reply to this post by Khaled Elmously
On 07/06/18 07:33, Khalid Elmously wrote:

> From: Eric Sandeen <[hidden email]>
>
> CVE-2018-10323
>
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
>
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <[hidden email]>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Reviewed-by: Darrick J. Wong <[hidden email]>
> Signed-off-by: Darrick J. Wong <[hidden email]>
> (backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <[hidden email]>
> ---
>  fs/xfs/xfs_bmap.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
> index 6beb7a93a0e9..41013924bdcd 100644
> --- a/fs/xfs/xfs_bmap.c
> +++ b/fs/xfs/xfs_bmap.c
> @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
>   *logflagsp = 0;
>   if ((error = xfs_alloc_vextent(&args))) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return error;
>   }
>

The backport looks correct.

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NAK[X/A]: [SRU][X/A/B][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Kleber Souza
In reply to this post by Khaled Elmously
On 07/06/18 07:33, Khalid Elmously wrote:

> From: Eric Sandeen <[hidden email]>
>
> CVE-2018-10323
>
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
>
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <[hidden email]>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Reviewed-by: Darrick J. Wong <[hidden email]>
> Signed-off-by: Darrick J. Wong <[hidden email]>
> (cherry-picked from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <[hidden email]>
> ---
>  fs/xfs/libxfs/xfs_bmap.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
> index 1bddbba6b80c..c756db755a5a 100644
> --- a/fs/xfs/libxfs/xfs_bmap.c
> +++ b/fs/xfs/libxfs/xfs_bmap.c
> @@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
>   *logflagsp = 0;
>   if ((error = xfs_alloc_vextent(&args))) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return error;
>   }
>  
>   if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return -ENOSPC;
>   }
>

The patch doesn't apply on Xenial. The second block was introduced by
2fcc319d2467a (xfs: try any AG when allocating the first btree block
when reflinking), and it hasn't been backported to the Xenial kernel. So
the same backport for Trusty would potentially work for Xenial as well.

Artful is EOL.

So NAK for Xenial and Artful.


Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK[B]: [SRU][X/A/B][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Kleber Souza
In reply to this post by Khaled Elmously
On 07/06/18 07:33, Khalid Elmously wrote:

> From: Eric Sandeen <[hidden email]>
>
> CVE-2018-10323
>
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
>
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <[hidden email]>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Reviewed-by: Darrick J. Wong <[hidden email]>
> Signed-off-by: Darrick J. Wong <[hidden email]>
> (cherry-picked from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <[hidden email]>
> ---
>  fs/xfs/libxfs/xfs_bmap.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
> index 1bddbba6b80c..c756db755a5a 100644
> --- a/fs/xfs/libxfs/xfs_bmap.c
> +++ b/fs/xfs/libxfs/xfs_bmap.c
> @@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
>   *logflagsp = 0;
>   if ((error = xfs_alloc_vextent(&args))) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return error;
>   }
>  
>   if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return -ENOSPC;
>   }
>

For Bionic only:

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[Trusty]: [SRU][T][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Kleber Souza
In reply to this post by Khaled Elmously
On 07/06/18 07:33, Khalid Elmously wrote:

> From: Eric Sandeen <[hidden email]>
>
> CVE-2018-10323
>
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
>
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <[hidden email]>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Reviewed-by: Darrick J. Wong <[hidden email]>
> Signed-off-by: Darrick J. Wong <[hidden email]>
> (backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <[hidden email]>
> ---
>  fs/xfs/xfs_bmap.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
> index 6beb7a93a0e9..41013924bdcd 100644
> --- a/fs/xfs/xfs_bmap.c
> +++ b/fs/xfs/xfs_bmap.c
> @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
>   *logflagsp = 0;
>   if ((error = xfs_alloc_vextent(&args))) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return error;
>   }
>

Applied to trusty/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[Bionic]: [SRU][X/A/B][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Kleber Souza
In reply to this post by Khaled Elmously
On 07/06/18 07:33, Khalid Elmously wrote:

> From: Eric Sandeen <[hidden email]>
>
> CVE-2018-10323
>
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
>
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <[hidden email]>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Reviewed-by: Darrick J. Wong <[hidden email]>
> Signed-off-by: Darrick J. Wong <[hidden email]>
> (cherry-picked from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <[hidden email]>
> ---
>  fs/xfs/libxfs/xfs_bmap.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
> index 1bddbba6b80c..c756db755a5a 100644
> --- a/fs/xfs/libxfs/xfs_bmap.c
> +++ b/fs/xfs/libxfs/xfs_bmap.c
> @@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
>   *logflagsp = 0;
>   if ((error = xfs_alloc_vextent(&args))) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return error;
>   }
>  
>   if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
>   xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
>   xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
>   return -ENOSPC;
>   }
>

Applied to bionic/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team