1 files changed, 45 insertions, 0 deletions

diff --git a/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch b/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
new file mode 100644
index 000000000000..06220d2f2f8e
--- /dev/null
+++ b/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch
@@ -0,0 +1,45 @@
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 14 Jun 2018 12:55:10 -0400
+Subject: ext4: verify the depth of extent tree in ext4_find_extent()
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=0a8173832987f52ab6926dbdf1cd3991ca615000
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10877
+
+If there is a corupted file system where the claimed depth of the
+extent tree is -1, this can cause a massive buffer overrun leading to
+sadness.
+
+This addresses CVE-2018-10877.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199417
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ fs/ext4/ext4_extents.h | 1 +
+ fs/ext4/extents.c      | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/fs/ext4/ext4_extents.h
++++ b/fs/ext4/ext4_extents.h
+@@ -91,6 +91,7 @@ struct ext4_extent_header {
+ };
+ 
+ #define EXT4_EXT_MAGIC		cpu_to_le16(0xf30a)
++#define EXT4_MAX_EXTENT_DEPTH 5
+ 
+ #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
+ 	(sizeof(struct ext4_extent_header) + \
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ex
+ 
+ 	eh = ext_inode_hdr(inode);
+ 	depth = ext_depth(inode);
++	if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
++		EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
++				 depth);
++		ret = -EFSCORRUPTED;
++		goto err;
++	}
+ 
+ 	if (path) {
+ 		ext4_ext_drop_refs(path);