[SRU][PATCH 0/1] Fix for CVE-2018-10323

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][PATCH 0/1] Fix for CVE-2018-10323

Khalid Elmously
Clean cherry-pick for X/A/B. Seems like a straightforward backport for T

Eric Sandeen (1):
  xfs: set format back to extents if xfs_bmap_extents_to_btree

 fs/xfs/xfs_bmap.c | 2 ++
 1 file changed, 2 insertions(+)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][X/A/B][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Khalid Elmously
From: Eric Sandeen <[hidden email]>

CVE-2018-10323

If xfs_bmap_extents_to_btree fails in a mode where we call
xfs_iroot_realloc(-1) to de-allocate the root, set the
format back to extents.

Otherwise we can assume we can dereference ifp->if_broot
based on the XFS_DINODE_FMT_BTREE format, and crash.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
Signed-off-by: Eric Sandeen <[hidden email]>
Reviewed-by: Christoph Hellwig <[hidden email]>
Reviewed-by: Darrick J. Wong <[hidden email]>
Signed-off-by: Darrick J. Wong <[hidden email]>
(cherry-picked from 2c4306f719b083d17df2963bc761777576b8ad1b)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 fs/xfs/libxfs/xfs_bmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
index 1bddbba6b80c..c756db755a5a 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
  *logflagsp = 0;
  if ((error = xfs_alloc_vextent(&args))) {
  xfs_iroot_realloc(ip, -1, whichfork);
+ ASSERT(ifp->if_broot == NULL);
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
  xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
  return error;
  }
 
  if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
  xfs_iroot_realloc(ip, -1, whichfork);
+ ASSERT(ifp->if_broot == NULL);
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
  xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
  return -ENOSPC;
  }
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][T][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree

Khalid Elmously
In reply to this post by Khalid Elmously
From: Eric Sandeen <[hidden email]>

CVE-2018-10323

If xfs_bmap_extents_to_btree fails in a mode where we call
xfs_iroot_realloc(-1) to de-allocate the root, set the
format back to extents.

Otherwise we can assume we can dereference ifp->if_broot
based on the XFS_DINODE_FMT_BTREE format, and crash.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
Signed-off-by: Eric Sandeen <[hidden email]>
Reviewed-by: Christoph Hellwig <[hidden email]>
Reviewed-by: Darrick J. Wong <[hidden email]>
Signed-off-by: Darrick J. Wong <[hidden email]>
(backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 fs/xfs/xfs_bmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
index 6beb7a93a0e9..41013924bdcd 100644
--- a/fs/xfs/xfs_bmap.c
+++ b/fs/xfs/xfs_bmap.c
@@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
  *logflagsp = 0;
  if ((error = xfs_alloc_vextent(&args))) {
  xfs_iroot_realloc(ip, -1, whichfork);
+ ASSERT(ifp->if_broot == NULL);
+ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
  xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
  return error;
  }
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][PATCH 0/1] Fix for CVE-2018-10323

Stefan Bader-2
In reply to this post by Khalid Elmously
On 06.07.2018 07:33, Khalid Elmously wrote:
> Clean cherry-pick for X/A/B. Seems like a straightforward backport for T
>
> Eric Sandeen (1):
>   xfs: set format back to extents if xfs_bmap_extents_to_btree
>
>  fs/xfs/xfs_bmap.c | 2 ++
>  1 file changed, 2 insertions(+)
>
Acked-by: Stefan Bader <[hidden email]>

Looks like trusty indeed has only one failure case like described.


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment