From: Greg Kroah-Hartman Date: Fri, 12 Oct 2018 11:07:51 +0000 (+0200) Subject: drop ext4-add-corruption-check-in-ext4_xattr_set_entry.patch from 4.4 X-Git-Tag: v3.18.124~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5efd7db6c49d4562ffda74351baad4dc206f493e;p=thirdparty%2Fkernel%2Fstable-queue.git drop ext4-add-corruption-check-in-ext4_xattr_set_entry.patch from 4.4 --- diff --git a/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch b/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch deleted file mode 100644 index 04d2eb58d42..00000000000 --- a/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Wed, 13 Jun 2018 00:23:11 -0400 -Subject: ext4: add corruption check in ext4_xattr_set_entry() - -From: Theodore Ts'o - -commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream. - -In theory this should have been caught earlier when the xattr list was -verified, but in case it got missed, it's simple enough to add check -to make sure we don't overrun the xattr buffer. - -This addresses CVE-2018-10879. - -https://bugzilla.kernel.org/show_bug.cgi?id=200001 - -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger -[bwh: Backported to 3.16: - - Add inode parameter to ext4_xattr_set_entry() and update callers - - Return -EIO instead of -EFSCORRUPTED on error - - Adjust context] -Signed-off-by: Ben Hutchings -[adjusted for 4.4 context] -Signed-off-by: Daniel Rosenberg -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/xattr.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -638,14 +638,20 @@ static size_t ext4_xattr_free_space(stru - } - - static int --ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s) -+ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s, -+ struct inode *inode) - { -- struct ext4_xattr_entry *last; -+ struct ext4_xattr_entry *last, *next; - size_t free, min_offs = s->end - s->base, name_len = strlen(i->name); - - /* Compute min_offs and last. */ - last = s->first; -- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { -+ for (; !IS_LAST_ENTRY(last); last = next) { -+ next = EXT4_XATTR_NEXT(last); -+ if ((void *)next >= s->end) { -+ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); -+ return -EIO; -+ } - if (!last->e_value_block && last->e_value_size) { - size_t offs = le16_to_cpu(last->e_value_offs); - if (offs < min_offs) -@@ -825,7 +831,7 @@ ext4_xattr_block_set(handle_t *handle, s - ce = NULL; - } - ea_bdebug(bs->bh, "modifying in-place"); -- error = ext4_xattr_set_entry(i, s); -+ error = ext4_xattr_set_entry(i, s, inode); - if (!error) { - if (!IS_LAST_ENTRY(s->first)) - ext4_xattr_rehash(header(s->base), -@@ -875,7 +881,7 @@ ext4_xattr_block_set(handle_t *handle, s - s->end = s->base + sb->s_blocksize; - } - -- error = ext4_xattr_set_entry(i, s); -+ error = ext4_xattr_set_entry(i, s, inode); - if (error == -EFSCORRUPTED) - goto bad_block; - if (error) -@@ -1037,7 +1043,7 @@ int ext4_xattr_ibody_inline_set(handle_t - - if (EXT4_I(inode)->i_extra_isize == 0) - return -ENOSPC; -- error = ext4_xattr_set_entry(i, s); -+ error = ext4_xattr_set_entry(i, s, inode); - if (error) { - if (error == -ENOSPC && - ext4_has_inline_data(inode)) { -@@ -1049,7 +1055,7 @@ int ext4_xattr_ibody_inline_set(handle_t - error = ext4_xattr_ibody_find(inode, i, is); - if (error) - return error; -- error = ext4_xattr_set_entry(i, s); -+ error = ext4_xattr_set_entry(i, s, inode); - } - if (error) - return error; -@@ -1075,7 +1081,7 @@ static int ext4_xattr_ibody_set(handle_t - - if (EXT4_I(inode)->i_extra_isize == 0) - return -ENOSPC; -- error = ext4_xattr_set_entry(i, s); -+ error = ext4_xattr_set_entry(i, s, inode); - if (error) - return error; - header = IHDR(inode, ext4_raw_inode(&is->iloc)); diff --git a/queue-4.4/series b/queue-4.4/series index 03882e9b33e..719a9a3b6b8 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,7 +9,6 @@ dm-cache-fix-resize-crash-if-user-doesn-t-reload-cache-table.patch xhci-add-missing-cas-workaround-for-intel-sunrise-point-xhci.patch usb-serial-simple-add-motorola-tetra-mtp6550-id.patch of-unittest-disable-interrupt-node-tests-for-old-world-mac-systems.patch -ext4-add-corruption-check-in-ext4_xattr_set_entry.patch ext4-always-verify-the-magic-number-in-xattr-blocks.patch cgroup-fix-deadlock-in-cpu-hotplug-path.patch ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch