diff options
Diffstat (limited to 'debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch')
-rw-r--r-- | debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch b/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch new file mode 100644 index 000000000000..2522bcb4c422 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch @@ -0,0 +1,45 @@ +From: Theodore Ts'o <tytso@mit.edu> +Date: Wed, 13 Jun 2018 00:51:28 -0400 +Subject: ext4: always verify the magic number in xattr blocks +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3345c50533c6a17ebc0284362ca7b69aaef37ac4 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879 + +If there an inode points to a block which is also some other type of +metadata block (such as a block allocation bitmap), the +buffer_verified flag can be set when it was validated as that other +metadata block type; however, it would make a really terrible external +attribute block. The reason why we use the verified flag is to avoid +constantly reverifying the block. However, it doesn't take much +overhead to make sure the magic number of the xattr block is correct, +and this will avoid potential crashes. + +This addresses CVE-2018-10879. + +https://bugzilla.kernel.org/show_bug.cgi?id=200001 + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +--- + fs/ext4/xattr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 230ba79715f6..0263692979ec 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -230,12 +230,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh, + { + int error = -EFSCORRUPTED; + +- if (buffer_verified(bh)) +- return 0; +- + if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || + BHDR(bh)->h_blocks != cpu_to_le32(1)) + goto errout; ++ if (buffer_verified(bh)) ++ return 0; ++ + error = -EFSBADCRC; + if (!ext4_xattr_block_csum_verify(inode, bh)) + goto errout; |