| From 117166efb1ee8f13c38f9e96b258f16d4923f888 Mon Sep 17 00:00:00 2001 |
| From: Theodore Ts'o <tytso@mit.edu> |
| Date: Tue, 22 May 2018 16:15:24 -0400 |
| Subject: ext4: do not allow external inodes for inline data |
| |
| From: Theodore Ts'o <tytso@mit.edu> |
| |
| commit 117166efb1ee8f13c38f9e96b258f16d4923f888 upstream. |
| |
| The inline data feature was implemented before we added support for |
| external inodes for xattrs. It makes no sense to support that |
| combination, but the problem is that there are a number of extended |
| attribute checks that are skipped if e_value_inum is non-zero. |
| |
| Unfortunately, the inline data code is completely e_value_inum |
| unaware, and attempts to interpret the xattr fields as if it were an |
| inline xattr --- at which point, Hilarty Ensues. |
| |
| This addresses CVE-2018-11412. |
| |
| https://bugzilla.kernel.org/show_bug.cgi?id=199803 |
| |
| Reported-by: Jann Horn <jannh@google.com> |
| Reviewed-by: Andreas Dilger <adilger@dilger.ca> |
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| Fixes: e50e5129f384 ("ext4: xattr-in-inode support") |
| Cc: stable@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ext4/inline.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/fs/ext4/inline.c |
| +++ b/fs/ext4/inline.c |
| @@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct |
| goto out; |
| |
| if (!is.s.not_found) { |
| + if (is.s.here->e_value_inum) { |
| + EXT4_ERROR_INODE(inode, "inline data xattr refers " |
| + "to an external xattr inode"); |
| + error = -EFSCORRUPTED; |
| + goto out; |
| + } |
| EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - |
| (void *)ext4_raw_inode(&is.iloc)); |
| EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + |