Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2563023imm; Thu, 11 Oct 2018 12:16:42 -0700 (PDT) X-Google-Smtp-Source: ACcGV6085bCp8fNEGg6V8u2uzKjbKkfhNr6v/frE5myGzmtfDaDaJbdLJw5rjo7bbuvfHfnw7sXU X-Received: by 2002:a63:ea43:: with SMTP id l3-v6mr2521442pgk.427.1539285402237; Thu, 11 Oct 2018 12:16:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539285402; cv=none; d=google.com; s=arc-20160816; b=a6meRBNwgxVO6KY0WHoPzIiy9EAyatRm9dg0bBQz5p76jCxJV7oOi3dfwb02Bxv241 Zp1eZpTFP9gR5mCixIMPGDnZK9aHzqauvewWtzLnNnmpuqpvh053VignXV4F+kGFvpPf 3RqJNbk01xQXsK0CViCpdvQ7jn3WPaXRIeuDUjxQKWGrOe3awp21tKUMus859dQfSe2R 4qZ0csAzc9V0jYp3lHYKuNnJXN2Q6sONBWtetp6YLwOW4NWp30rw45WTx6meMYlJPYMx WwInOMFPenQpq5mrEtyFER/++p19eWqM9OPm1jQkwvmUCVgnyyvrNXQTyY9BTY4FOK2o TpoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WU9pKRPxg32JbaT+O9Kf/Qi3X2Vo3JiHSGmaJx/iA78=; b=pAPnQo669/Mepo/RrvxBur8fY9q67Xu7RVcxNsVnnaXR2e7QbusPjx8Nb5DKqDp2fo U+G7wPo38z/WUdym1NOZSBTA6WxH6JcIC4uNFfK8pRZiUb8QRg31YI7ROEJ/RSMdtoLs QdVzC9nzCBCRaD8frtCrLapan/NJev0R+AXgNkvkj/QSIvfeFOuTq0x55EV1WaMM352G fSC6Mt/ZiNe7C9lenfwJ1pWk5mBZCOVZNL6BeUSV2QM7+WCPBYgnFVxA0zt7snyXDyoE ChjpxE+GAsHKoivh9xYUu2PZlVP06Fs4+7HzLNkMb/L74XJ1IyByIcXVExvSDxuTh5k4 jP+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=t28BfeJH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j6-v6si25594259pgb.62.2018.10.11.12.16.26; Thu, 11 Oct 2018 12:16:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=t28BfeJH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730514AbeJKXJ2 (ORCPT + 99 others); Thu, 11 Oct 2018 19:09:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:40244 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726700AbeJKXJ1 (ORCPT ); Thu, 11 Oct 2018 19:09:27 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4F89A21476; Thu, 11 Oct 2018 15:41:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539272502; bh=6dYFmn3VKcFXOKtH8y7zwtIkCSF0WPDpma1KROBfz1w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t28BfeJHsBrk07Vmia555sIEw2xk5r0HMJQ4PoPUdjTsa+Bp9BSoA8xfCVhwVvqrx Osxg/yb0GPvBBHpiaWCiaXTXC8KMx6gV8R3ezaxZxR9Aj9sj0Iii3kJDNWnSigmXfB wGLBoQ8y91gVNJifgra8QNx8UwS0jtZapC2OIWlQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , Andreas Dilger , Ben Hutchings , Daniel Rosenberg Subject: [PATCH 4.4 12/27] ext4: add corruption check in ext4_xattr_set_entry() Date: Thu, 11 Oct 2018 17:34:59 +0200 Message-Id: <20181011152534.616949415@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181011152534.014964888@linuxfoundation.org> References: <20181011152534.014964888@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream. In theory this should have been caught earlier when the xattr list was verified, but in case it got missed, it's simple enough to add check to make sure we don't overrun the xattr buffer. This addresses CVE-2018-10879. https://bugzilla.kernel.org/show_bug.cgi?id=200001 Signed-off-by: Theodore Ts'o Reviewed-by: Andreas Dilger [bwh: Backported to 3.16: - Add inode parameter to ext4_xattr_set_entry() and update callers - Return -EIO instead of -EFSCORRUPTED on error - Adjust context] Signed-off-by: Ben Hutchings [adjusted for 4.4 context] Signed-off-by: Daniel Rosenberg Signed-off-by: Greg Kroah-Hartman --- fs/ext4/xattr.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -638,14 +638,20 @@ static size_t ext4_xattr_free_space(stru } static int -ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s) +ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s, + struct inode *inode) { - struct ext4_xattr_entry *last; + struct ext4_xattr_entry *last, *next; size_t free, min_offs = s->end - s->base, name_len = strlen(i->name); /* Compute min_offs and last. */ last = s->first; - for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { + for (; !IS_LAST_ENTRY(last); last = next) { + next = EXT4_XATTR_NEXT(last); + if ((void *)next >= s->end) { + EXT4_ERROR_INODE(inode, "corrupted xattr entries"); + return -EIO; + } if (!last->e_value_block && last->e_value_size) { size_t offs = le16_to_cpu(last->e_value_offs); if (offs < min_offs) @@ -825,7 +831,7 @@ ext4_xattr_block_set(handle_t *handle, s ce = NULL; } ea_bdebug(bs->bh, "modifying in-place"); - error = ext4_xattr_set_entry(i, s); + error = ext4_xattr_set_entry(i, s, inode); if (!error) { if (!IS_LAST_ENTRY(s->first)) ext4_xattr_rehash(header(s->base), @@ -875,7 +881,7 @@ ext4_xattr_block_set(handle_t *handle, s s->end = s->base + sb->s_blocksize; } - error = ext4_xattr_set_entry(i, s); + error = ext4_xattr_set_entry(i, s, inode); if (error == -EFSCORRUPTED) goto bad_block; if (error) @@ -1037,7 +1043,7 @@ int ext4_xattr_ibody_inline_set(handle_t if (EXT4_I(inode)->i_extra_isize == 0) return -ENOSPC; - error = ext4_xattr_set_entry(i, s); + error = ext4_xattr_set_entry(i, s, inode); if (error) { if (error == -ENOSPC && ext4_has_inline_data(inode)) { @@ -1049,7 +1055,7 @@ int ext4_xattr_ibody_inline_set(handle_t error = ext4_xattr_ibody_find(inode, i, is); if (error) return error; - error = ext4_xattr_set_entry(i, s); + error = ext4_xattr_set_entry(i, s, inode); } if (error) return error; @@ -1075,7 +1081,7 @@ static int ext4_xattr_ibody_set(handle_t if (EXT4_I(inode)->i_extra_isize == 0) return -ENOSPC; - error = ext4_xattr_set_entry(i, s); + error = ext4_xattr_set_entry(i, s, inode); if (error) return error; header = IHDR(inode, ext4_raw_inode(&is->iloc));