| From 513f86d73855ce556ea9522b6bfd79f87356dc3a Mon Sep 17 00:00:00 2001 |
| From: Theodore Ts'o <tytso@mit.edu> |
| Date: Wed, 13 Jun 2018 00:51:28 -0400 |
| Subject: ext4: always verify the magic number in xattr blocks |
| |
| From: Theodore Ts'o <tytso@mit.edu> |
| |
| commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream. |
| |
| If there an inode points to a block which is also some other type of |
| metadata block (such as a block allocation bitmap), the |
| buffer_verified flag can be set when it was validated as that other |
| metadata block type; however, it would make a really terrible external |
| attribute block. The reason why we use the verified flag is to avoid |
| constantly reverifying the block. However, it doesn't take much |
| overhead to make sure the magic number of the xattr block is correct, |
| and this will avoid potential crashes. |
| |
| This addresses CVE-2018-10879. |
| |
| https://bugzilla.kernel.org/show_bug.cgi?id=200001 |
| |
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| Reviewed-by: Andreas Dilger <adilger@dilger.ca> |
| [Backported to 4.9: adjust context] |
| Signed-off-by: Daniel Rosenberg <drosen@google.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| fs/ext4/xattr.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| --- a/fs/ext4/xattr.c |
| +++ b/fs/ext4/xattr.c |
| @@ -209,12 +209,12 @@ ext4_xattr_check_block(struct inode *ino |
| { |
| int error; |
| |
| - if (buffer_verified(bh)) |
| - return 0; |
| - |
| if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || |
| BHDR(bh)->h_blocks != cpu_to_le32(1)) |
| return -EFSCORRUPTED; |
| + if (buffer_verified(bh)) |
| + return 0; |
| + |
| if (!ext4_xattr_block_csum_verify(inode, bh)) |
| return -EFSBADCRC; |
| error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size, |