Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2006937imm;
        Tue, 10 Jul 2018 11:28:55 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpe0Kza8fIkhzd9cOIFIrTjOshnDugsip0LcI3sYEvdvWrJwaVYQ7aOoANbFQiN1Yz7sMM9U
X-Received: by 2002:a63:7c5c:: with SMTP id l28-v6mr24194163pgn.352.1531247335839;
        Tue, 10 Jul 2018 11:28:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531247335; cv=none;
        d=google.com; s=arc-20160816;
        b=WCUOxodwbBb2Fy3fkCxBIDpQpVpRMVXydwYpWvaOet0rj0kE6SV/6y+BVJRQZLhwke
         Ttw4YpyWT974RFIO4XgxTUP9xq88WS3fQu89Xgm1bfhWy/5D0tH64pwJ8IJE8uRV+4vd
         JAYjDmC7obS/31UUmzotJLvRJlWCnrfIH0tvCyMwkQKgGs2egPySD0E3h4gVedLPrd66
         phIp32v+wBbqmrfhO/F9GIx6AcVNpuMNDaLseb9ZNMZlkasWaHsDL6uP/H5Kc+BZU45v
         /OkQ4gRVpRRi/JSGqLfQGsiBP+BAqXE0TC1HXMvp2IjGCB+iuqI3CShzTbBbnplL/zm1
         M8Yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=6C61rjFUr62Y8IKW2F/0MxLdDbVKUV99kSP/aqUn5p0=;
        b=UTSaCSO86HJYs7OzyMGYEiS7KfYqcjIoC3QEYeXJw/wGkT4Y+459IthaG0NWgfEcHh
         xg9e67qfFsx6M635Kjp24omwHEpsEwq3kYmhujDWqXRla/68VEDsA2au1uN8q+8T64ZH
         FrJdRKvIM3hGb50PgvAg+NPCS9UDC8xZNze+S+Cv0UHCmUMTSCVfo7I3r10+xCQq2Jl4
         rEGKqMqXnKeTm2oL0B5bxFFaDo5RqvxSz1AVd35fn8VHSoVl8tqrS5XCscfmEgevY62m
         W61xfHZY85IQeACgIMDkuwKY4Q7fiYC6Ch64b85t4i6icdEI34MR8BezM4sDHzM2pNin
         vzEQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m24-v6si16682021pgl.452.2018.07.10.11.28.40;
        Tue, 10 Jul 2018 11:28:55 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732938AbeGJS07 (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 10 Jul 2018 14:26:59 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:44642 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732909AbeGJS06 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Jul 2018 14:26:58 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 2B2AADB4;
        Tue, 10 Jul 2018 18:26:48 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Theodore Tso <tytso@mit.edu>,
        stable@kernel.org
Subject: [PATCH 3.18 12/23] ext4: clear i_data in ext4_inode_info when removing inline data
Date:   Tue, 10 Jul 2018 20:24:45 +0200
Message-Id: <20180710182309.410649178@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180710182308.877332304@linuxfoundation.org>
References: <20180710182308.877332304@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 6e8ab72a812396996035a37e5ca4b3b99b5d214b upstream.

When converting from an inode from storing the data in-line to a data
block, ext4_destroy_inline_data_nolock() was only clearing the on-disk
copy of the i_blocks[] array.  It was not clearing copy of the
i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually
used by ext4_map_blocks().

This didn't matter much if we are using extents, since the extents
header would be invalid and thus the extents could would re-initialize
the extents tree.  But if we are using indirect blocks, the previous
contents of the i_blocks array will be treated as block numbers, with
potentially catastrophic results to the file system integrity and/or
user data.

This gets worse if the file system is using a 1k block size and
s_first_data is zero, but even without this, the file system can get
quite badly corrupted.

This addresses CVE-2018-10881.

https://bugzilla.kernel.org/show_bug.cgi?id=200015

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/inline.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -432,6 +432,7 @@ static int ext4_destroy_inline_data_nolo
 
 	memset((void *)ext4_raw_inode(&is.iloc)->i_block,
 		0, EXT4_MIN_INLINE_DATA_SIZE);
+	memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE);
 
 	if (EXT4_HAS_INCOMPAT_FEATURE(inode->i_sb,
 				      EXT4_FEATURE_INCOMPAT_EXTENTS)) {