Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp29112imm; Fri, 21 Sep 2018 17:24:56 -0700 (PDT) X-Google-Smtp-Source: ACcGV604lH2pJNXOnw5tHydEosGQrsoQ7fap3pX+eVFdhXs6H4VM30R7gyhCGVhbJR3KGan1vWjc X-Received: by 2002:a17:902:a987:: with SMTP id bh7-v6mr130760plb.182.1537575896143; Fri, 21 Sep 2018 17:24:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575896; cv=none; d=google.com; s=arc-20160816; b=BY7LN6M6msB7JVAtzgkm0Vdjzk28DuZYT+ln8dPcZtv/nLRhPq8fz5yc/FjzndIU/Z EcgvjL+D7YCVq+dIwQhnSojUzQPNCKjCD3XZSzMaAEaoaYlMlVBtFYFERqwTcRNprVOl nLwAl6/tzkfUt6nN3irgT5EVLbF27eCA/Oj+gQtEWNxMuUS8bVI3/veyU4nmEEv5eagl Mo0XJXEXlLJLllslCGfUT5s0im053+agComtmSAKycItKwqNv6DJkIBkuPfcAORqNxl+ N+qMl4k5mvxvX3mbBI7sCURb1iwPTfM2eYDjayUtYW8MO/yQasZQE69TC9r8kaFMHM4x NCbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=cjCj3S9/g0G32AcxCJp99BXvDUclsbrcKif3p4ZoskY=; b=0fFmIfCIqrH9rEJ0OdIy05vN6WJtdU1CQ8JO+Zm2URH6XxxGHTPWGZ5/TdjpE1j1Ca V52QktC0d3ZWXSa8zuG7n7PqPgY6B9q88ttsbLVQkiga8F2P9CtorgKmeeYiAuQwW27S jFdpEYrQjETFFyIMIsQQ0yfQWITNbG7M3NxkTBZPFuPPBJP5XSp3wbLpnXaSDwJ4t9v9 MnKWD2Ya+od6CwQQQfPUhVP4+HdYodtuHXVFpyvmStrSms2NbHLMXpqs7SpD6Ii1R/X+ p0OBZEBauA+JIjOa2Zz9QHLN1dDaPUa9JAW2iEasBqjRg6MTG3w/6gaMTFaMDk4i87Fm W1bg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e30-v6si2127496pgn.594.2018.09.21.17.24.40; Fri, 21 Sep 2018 17:24:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392325AbeIVGNa (ORCPT + 99 others); Sat, 22 Sep 2018 02:13:30 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44236 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392005AbeIVGKs (ORCPT ); Sat, 22 Sep 2018 02:10:48 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vdy-0008BL-7D; Sat, 22 Sep 2018 01:19:30 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdo-0000sL-7f; Sat, 22 Sep 2018 01:19:20 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Theodore Ts'o" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 33/63] ext4: never move the system.data xattr out of the inode body In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream. When expanding the extra isize space, we must never move the system.data xattr out of the inode body. For performance reasons, it doesn't make any sense, and the inline data implementation assumes that system.data xattr is never in the external xattr block. This addresses CVE-2018-10880 https://bugzilla.kernel.org/show_bug.cgi?id=200005 Signed-off-by: Theodore Ts'o [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/ext4/xattr.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1370,6 +1370,11 @@ retry: /* Find the entry best suited to be pushed into EA block */ entry = NULL; for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { + /* never move system.data out of the inode */ + if ((last->e_name_len == 4) && + (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && + !memcmp(last->e_name, "data", 4)) + continue; total_size = EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) + EXT4_XATTR_LEN(last->e_name_len);