1 files changed, 34 insertions, 0 deletions

diff --git a/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
new file mode 100644
index 000000000000..ea530a7a2665
--- /dev/null
+++ b/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,34 @@
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 15:40:48 -0400
+Subject: ext4: never move the system.data xattr out of the inode body
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=896003d9fd652666080a06411d4238ee6eb4fb76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10880
+
+When expanding the extra isize space, we must never move the
+system.data xattr out of the inode body.  For performance reasons, it
+doesn't make any sense, and the inline data implementation assumes
+that system.data xattr is never in the external xattr block.
+
+This addresses CVE-2018-10880
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200005
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ fs/ext4/xattr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -2657,6 +2657,11 @@ static int ext4_xattr_make_inode_space(h
+ 		last = IFIRST(header);
+ 		/* Find the entry best suited to be pushed into EA block */
+ 		for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
++			/* never move system.data out of the inode */
++			if ((last->e_name_len == 4) &&
++			    (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
++			    !memcmp(last->e_name, "data", 4))
++				continue;
+ 			total_size = EXT4_XATTR_LEN(last->e_name_len);
+ 			if (!last->e_value_inum)
+ 				total_size += EXT4_XATTR_SIZE(