From: Daniel Rosenberg <drosen@google.com>
To: stable@vger.kernel.org
Cc: Theodore Ts'o <tytso@mit.edu>, Daniel Rosenberg <drosen@google.com>
Subject: [PATCH 2/2] ext4: always verify the magic number in xattr blocks
Date: Fri, 5 Oct 2018 17:51:29 -0700 [thread overview]
Message-ID: <20181006005129.166109-3-drosen@google.com> (raw)
In-Reply-To: <20181006005129.166109-1-drosen@google.com>
From: Theodore Ts'o <tytso@mit.edu>
commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.
If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block. The reason why we use the verified flag is to avoid
constantly reverifying the block. However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[Backported to 4.4: adjust context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
---
fs/ext4/xattr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index b1a2d1cd23e55..ba2a12b34ff16 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -220,12 +220,12 @@ ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh)
{
int error;
- if (buffer_verified(bh))
- return 0;
-
if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
BHDR(bh)->h_blocks != cpu_to_le32(1))
return -EFSCORRUPTED;
+ if (buffer_verified(bh))
+ return 0;
+
if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh)))
return -EFSBADCRC;
error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,
--
2.19.0.605.g01d371f741-goog
next prev parent reply other threads:[~2018-10-06 7:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-06 0:51 [PATCH 0/2] A couple recent ext4 CVE fixes Daniel Rosenberg
2018-10-06 0:51 ` [PATCH 1/2] ext4: add corruption check in ext4_xattr_set_entry() Daniel Rosenberg
2018-10-06 0:51 ` Daniel Rosenberg [this message]
2018-10-11 9:19 ` [PATCH 0/2] A couple recent ext4 CVE fixes Greg KH
2018-10-06 0:55 Daniel Rosenberg
2018-10-06 0:55 ` [PATCH 2/2] ext4: always verify the magic number in xattr blocks Daniel Rosenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181006005129.166109-3-drosen@google.com \
--to=drosen@google.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.