linux/fs/ext4
Theodore Ts'o 8a2b307c21 ext4: correctly handle a zero-length xattr with a non-zero e_value_offs
Ext4 will always create ext4 extended attributes which do not have a
value (where e_value_size is zero) with e_value_offs set to zero.  In
most places e_value_offs will not be used in a substantive way if
e_value_size is zero.

There was one exception to this, which is in ext4_xattr_set_entry(),
where if there is a maliciously crafted file system where there is an
extended attribute with e_value_offs is non-zero and e_value_size is
0, the attempt to remove this xattr will result in a negative value
getting passed to memmove, leading to the following sadness:

[   41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[   44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000
[   44.538733] IP: __memmove+0x81/0x1a0
[   44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1
[   44.538793] Oops: 0003 [#1] SMP PTI
[   44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1
    ...
[   44.539475] Call Trace:
[   44.539832]  ext4_xattr_set_entry+0x9e7/0xf80
    ...
[   44.539972]  ext4_xattr_block_set+0x212/0xea0
    ...
[   44.540041]  ext4_xattr_set_handle+0x514/0x610
[   44.540065]  ext4_xattr_set+0x7f/0x120
[   44.540090]  __vfs_removexattr+0x4d/0x60
[   44.540112]  vfs_removexattr+0x75/0xe0
[   44.540132]  removexattr+0x4d/0x80
    ...
[   44.540279]  path_removexattr+0x91/0xb0
[   44.540300]  SyS_removexattr+0xf/0x20
[   44.540322]  do_syscall_64+0x71/0x120
[   44.540344]  entry_SYSCALL_64_after_hwframe+0x21/0x86

https://bugzilla.kernel.org/show_bug.cgi?id=199347

This addresses CVE-2018-10840.

Reported-by: "Xu, Wen" <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
Fixes: dec214d00e ("ext4: xattr inode deduplication")
2018-05-23 11:31:03 -04:00
..
acl.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
acl.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
balloc.c ext4: mark block bitmap corrupted when found 2018-05-12 12:37:58 -04:00
bitmap.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
block_validity.c ext4: use 'sbi' instead of 'EXT4_SB(sb)' 2018-01-11 13:17:49 -05:00
dir.c ext4: force revalidation of directory pointer after seekdir(2) 2018-04-01 23:21:03 -04:00
ext4_extents.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
ext4_jbd2.c ext4: shutdown should not prevent get_write_access 2018-02-18 22:07:36 -05:00
ext4_jbd2.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
ext4.h ext4: add new ext4_mark_group_bitmap_corrupted() helper 2018-05-12 11:39:40 -04:00
extents_status.c ext4: remove NULL check before calling kmem_cache_destroy() 2018-05-20 22:44:13 -04:00
extents_status.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
extents.c ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS 2018-04-12 11:48:09 -04:00
file.c ext4: do not update s_last_mounted of a frozen fs 2018-05-13 22:54:44 -04:00
fsmap.c ext4: make function ‘ext4_getfsmap_find_fixed_metadata’ static 2018-05-10 11:50:04 -04:00
fsmap.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
fsync.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hash.c ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
ialloc.c ext4: mark inode bitmap corrupted when found 2018-05-12 12:15:21 -04:00
indirect.c ext4: fix hole length detection in ext4_ind_map_blocks() 2018-05-12 19:55:00 -04:00
inline.c ext4: do not allow external inodes for inline data 2018-05-22 16:15:24 -04:00
inode.c ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() 2018-05-22 17:14:07 -04:00
ioctl.c ext4: remove EXT4_STATE_DIOREAD_LOCK flag 2018-03-22 11:52:10 -04:00
Kconfig fs/*/Kconfig: drop links to 404-compliant http://acl.bestbits.at 2018-01-01 12:45:37 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mballoc.c ext4: remove NULL check before calling kmem_cache_destroy() 2018-05-20 22:44:13 -04:00
mballoc.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
migrate.c ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
mmp.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
move_extent.c ext4: remove EXT4_STATE_DIOREAD_LOCK flag 2018-03-22 11:52:10 -04:00
namei.c Refactor support for encrypted symlinks to move common code to fscrypt. 2018-02-04 10:43:12 -08:00
page-io.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
readpage.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
resize.c ext4: use 'sbi' instead of 'EXT4_SB(sb)' 2018-01-11 13:17:49 -05:00
super.c ext4: report delalloc reserve as non-free in statfs for project quota 2018-05-20 22:49:54 -04:00
symlink.c ext4: switch to fscrypt_get_symlink() 2018-01-11 22:10:40 -05:00
sysfs.c ext4: simplify kobject usage 2018-03-30 00:41:34 -04:00
truncate.h ext4: fix up remaining files with SPDX cleanups 2017-12-17 22:00:59 -05:00
xattr_security.c ext4: use XATTR_CREATE in ext4_initxattrs() 2018-05-10 11:52:14 -04:00
xattr_trusted.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xattr_user.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xattr.c ext4: correctly handle a zero-length xattr with a non-zero e_value_offs 2018-05-23 11:31:03 -04:00
xattr.h ext4: add extra checks to ext4_xattr_block_get() 2018-03-30 20:04:11 -04:00