iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Theodore Ts'o fb751efb29 ext4: always verify the magic number in xattr blocks 
commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.

If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block.  The reason why we use the verified flag is to avoid
constantly reverifying the block.  However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.

This addresses CVE-2018-10879.

https://bugzilla.kernel.org/show_bug.cgi?id=200001

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[Backported to 4.4: adjust context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-13 09:11:33 +02:00
..
9p
fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed
2018-09-09 20:04:33 +02:00
adfs
fs/adfs: remove unneeded cast
2015-06-30 19:44:57 -07:00
affs
affs_lookup(): close a race with affs_remove_link()
2018-05-30 07:48:51 +02:00
afs
afs: Fix afs_kill_pages()
2017-12-20 10:04:56 +01:00
autofs4
autofs: fix autofs_sbi() does not check super block type
2018-09-19 22:49:00 +02:00
befs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
bfs
btrfs
btrfs: use correct compare function of dirty_metadata_bytes
2018-09-15 09:40:42 +02:00
cachefiles
cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
2018-09-05 09:18:35 +02:00
ceph
ceph: drop negative child dentries before try pruning inode's alias
2017-12-20 10:04:52 +01:00
cifs
smb2: fix missing files in root share directory listing
2018-10-10 08:52:13 +02:00
coda
coda: fix 'kernel memory exposure attempt' in fsync
2017-11-24 08:32:25 +01:00
configfs
configfs: Fix race between create_link and configfs_rmdir
2017-06-26 07:13:08 +02:00
cramfs
debugfs
dentry name snapshots
2017-08-06 19:19:42 -07:00
devpts
devpts: clean up interface to pty drivers
2016-08-16 09:30:49 +02:00
dlm
dlm: avoid double-free on error path in dlm_device_{register,unregister}
2017-09-13 14:09:45 -07:00
ecryptfs
do d_instantiate/unlock_new_inode combinations safely
2018-05-30 07:48:52 +02:00
efivarfs
efi: Make efivarfs entries immutable by default
2016-03-03 15:07:09 -08:00
efs
fs/efs: femove unneeded cast
2015-06-25 17:00:42 -07:00
exofs
osd fs: __r4w_get_page rely on PageUptodate for uptodate
2015-12-12 10:15:34 -08:00
exportfs
ext2
do d_instantiate/unlock_new_inode combinations safely
2018-05-30 07:48:52 +02:00
ext4
ext4: always verify the magic number in xattr blocks
2018-10-13 09:11:33 +02:00
f2fs
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
2018-09-19 22:48:59 +02:00
fat
fat: validate ->i_start before using
2018-09-15 09:40:38 +02:00
freevxfs
freevxfs: Grammar s/an negative/a negative/
2015-08-07 13:59:24 +02:00
fscache
fscache: Allow cancelled operations to be enqueued
2018-09-05 09:18:35 +02:00
fuse
fuse: Add missed unlock_page() to fuse_readpages_fill()
2018-09-05 09:18:39 +02:00
gfs2
gfs2: Special-case rindex for gfs2_grow
2018-09-26 08:35:05 +02:00
hfs
hfs: prevent crash on exit from failed search
2018-09-15 09:40:37 +02:00
hfsplus
hfsplus: fix NULL dereference in hfsplus_lookup()
2018-09-15 09:40:38 +02:00
hostfs
hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
2016-09-30 10:18:39 +02:00
hpfs
hpfs: implement the show_options method
2016-06-01 12:15:54 -07:00
hugetlbfs
mm: larger stack guard gap, between vmas
2017-06-26 07:13:11 +02:00
isofs
isofs: fix timestamps beyond 2027
2017-11-30 08:37:20 +00:00
jbd2
jbd2: don't mark block as modified if the handle is out of credits
2018-07-11 16:03:48 +02:00
jffs2
jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
2018-05-30 07:48:54 +02:00
jfs
jfs: Fix inconsistency between memory allocation and ea_buf->max_size
2018-08-09 12:19:28 +02:00
kernfs
kernfs: fix regression in kernfs_fop_write caused by wrong type
2018-02-16 20:09:42 +01:00
lockd
lockd: lost rollback of set_grace_period() in lockd_down_net()
2018-05-26 08:48:50 +02:00
logfs
mm, fs: introduce mapping_gfp_constraint()
2015-11-06 17:50:42 -08:00
minix
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
ncpfs
staging: ncpfs: memory corruption in ncp_read_kernel()
2018-03-28 18:40:15 +02:00
nfs
NFSv4.0 fix client reference leak in callback
2018-09-19 22:48:57 +02:00
nfs_common
lockd: fix "list_add double add" caused by legacy signal interface
2018-02-03 17:04:28 +01:00
nfsd
nfsd: fix corrupted reply to badly ordered compound
2018-10-10 08:52:07 +02:00
nilfs2
do d_instantiate/unlock_new_inode combinations safely
2018-05-30 07:48:52 +02:00
nls
notify
fanotify: fix logic of events on child
2018-04-24 09:32:11 +02:00
ntfs
mm, fs: introduce mapping_gfp_constraint()
2015-11-06 17:50:42 -08:00
ocfs2
ocfs2: fix locking for res->tracking and dlm->tracking_list
2018-10-10 08:52:13 +02:00
omfs
openpromfs
overlayfs
ovl: proper cleanup of workdir
2018-09-15 09:40:41 +02:00
proc
proc: restrict kernel stack dumps to root
2018-10-10 08:52:13 +02:00
pstore
pstore: Fix incorrect persistent ram buffer mapping
2018-09-26 08:35:07 +02:00
qnx4
qnx6
quota
fs/quota: Fix spectre gadget in do_quotactl
2018-09-09 20:04:36 +02:00
ramfs
mm, fs: obey gfp_mapping for add_to_page_cache()
2015-10-16 11:42:28 -07:00
reiserfs
reiserfs: change j_timestamp type to time64_t
2018-09-15 09:40:38 +02:00
romfs
romfs: use different way to generate fsid for BLOCK or MTD
2017-06-17 06:39:38 +02:00
squashfs
squashfs: more metadata hardenings
2018-08-06 16:24:42 +02:00
sysfs
scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
2018-09-05 09:18:40 +02:00
sysv
fix sysvfs symlinks
2015-11-23 21:11:08 -05:00
tracefs
tracefs: Fix refcount imbalance in start_creating()
2015-11-04 22:13:45 -05:00
ubifs
ubifs: Fix synced_i_size calculation for xattr inodes
2018-09-09 20:04:35 +02:00
udf
udf: Detect incorrect directory size
2018-07-03 11:21:34 +02:00
ufs
do d_instantiate/unlock_new_inode combinations safely
2018-05-30 07:48:52 +02:00
xfs
xfs: fix incorrect log_flushed on fsync
2018-06-13 16:15:27 +02:00
aio.c
fix io_destroy()/aio_complete() race
2018-06-06 16:46:23 +02:00
anon_inodes.c
attr.c
vfs: move permission checking into notify_change() for utimes(NULL)
2016-10-22 12:26:56 +02:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
libnvdimm for 4.4:
2015-11-10 12:07:22 -08:00
binfmt_elf.c
binfmt_elf: Respect error return from `regset->active'
2018-09-26 08:35:08 +02:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
fs/binfmt_misc.c: do not allow offset overflow
2018-07-03 11:21:26 +02:00
binfmt_script.c
block_dev.c
fs/block_dev: always invalidate cleancache in invalidate_bdev()
2017-05-20 14:27:01 +02:00
buffer.c
fs: add i_blocksize()
2017-06-14 13:16:24 +02:00
char_dev.c
fs/char_dev.c: fix incorrect documentation for unregister_chrdev_region
2015-08-05 13:49:35 -07:00
compat_binfmt_elf.c
binfmt_elf: compat: avoid unused function warning
2018-02-25 11:03:51 +01:00
compat_ioctl.c
fs: compat: Remove warning from COMPATIBLE_IOCTL
2018-04-08 11:51:57 +02:00
compat.c
coredump.c
coredump: Ensure proper size of sparse core files
2017-07-05 14:37:20 +02:00
dax.c
dax: disable pmd mappings
2015-11-16 23:54:45 -08:00
dcache.c
fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
2018-09-15 09:40:38 +02:00
dcookies.c
direct-io.c
direct-io: Prevent NULL pointer access in submit_page_section
2017-10-18 09:20:42 +02:00
drop_caches.c
inode: convert inode_sb_list_lock to per-sb
2015-08-17 18:39:46 -04:00
eventfd.c
eventpoll.c
epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()
2017-09-07 08:34:10 +02:00
exec.c
exec: Limit arg stack to at most 75% of _STK_LIM
2017-07-21 07:44:57 +02:00
fcntl.c
fs/fcntl: f_setown, avoid undefined behaviour
2018-01-31 12:06:11 +01:00
fhandle.c
fs/coredump: prevent fsuid=0 dumps into user-controlled directories
2016-04-12 09:08:58 -07:00
file_table.c
fs, file table: reinit files_stat.max_files after deferred memory initialisation
2015-08-07 04:39:40 +03:00
file.c
vfs: clear remainder of 'full_fds_bits' in dup_fd()
2015-11-05 23:05:32 -08:00
filesystems.c
fs_pin.c
fs_struct.c
fs-writeback.c
bdi: Fix oops in wb_workfn()
2018-05-16 10:06:51 +02:00
inode.c
Fix up non-directory creation in SGID directories
2018-07-17 11:31:43 +02:00
internal.h
inode: rename i_wb_list to i_io_list
2015-08-17 23:38:10 -04:00
ioctl.c
Kconfig
dax: disable pmd mappings
2015-11-16 23:54:45 -08:00
Kconfig.binfmt
libfs.c
fs: Set the size of empty dirs to 0.
2015-08-12 15:28:45 -05:00
locks.c
locks: don't check for race with close when setting OFD lock
2018-01-17 09:35:27 +01:00
Makefile
ext4: promote ext4 over ext2 in the default probe order
2015-10-15 10:33:21 -04:00
mbcache.c
mount.h
mnt: In propgate_umount handle visiting mounts in any order
2017-07-21 07:44:57 +02:00
mpage.c
fs: add i_blocksize()
2017-06-14 13:16:24 +02:00
namei.c
getname_kernel() needs to make sure that ->name != ->iname in long case
2018-04-24 09:32:04 +02:00
namespace.c
fix __legitimize_mnt()/mntput() race
2018-08-15 17:42:05 +02:00
no-block.c
nsfs.c
nsfs: mark dentry with DCACHE_RCUACCESS
2018-02-16 20:09:43 +01:00
open.c
fs: completely ignore unknown open flags
2017-07-15 11:57:44 +02:00
pipe.c
pipe: cap initial pipe capacity according to pipe-max-size limit
2018-05-26 08:48:51 +02:00
pnode.c
mnt: Make propagate_umount less slow for overlapping mount propagation trees
2017-07-21 07:44:58 +02:00
pnode.h
mnt: Add a per mount namespace limit on the number of mounts
2017-04-30 05:49:28 +02:00
posix_acl.c
tmpfs: clear S_ISGID when setting posix ACLs
2017-01-26 08:23:47 +01:00
proc_namespace.c
vfs: show_vfsstat: do not ignore errors from show_devname method
2016-04-12 09:08:55 -07:00
read_write.c
vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
2017-10-05 09:41:45 +02:00
readdir.c
select.c
fs/select: add vmalloc fallback for select(2)
2018-01-31 12:06:09 +01:00
seq_file.c
Make file credentials available to the seqfile interfaces
2017-08-06 19:19:42 -07:00
signalfd.c
signalfd: fix information leak in signalfd_copyinfo
2015-08-07 04:39:40 +03:00
splice.c
vfs: fix uninitialized flags in splice_to_pipe()
2017-02-23 17:43:09 +01:00
stack.c
stat.c
ufs: restore maintaining ->i_blocks
2017-06-14 13:16:24 +02:00
statfs.c
super.c
sget(): handle failures of register_shrinker()
2018-03-03 10:19:41 +01:00
sync.c
fs/sync.c: make sync_file_range(2) use WB_SYNC_NONE writeback
2015-11-06 17:50:42 -08:00
timerfd.c
timerfd: Protect the might cancel mechanism proper
2017-05-08 07:46:01 +02:00
userfaultfd.c
userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE
2017-12-20 10:04:53 +01:00
utimes.c
vfs: move permission checking into notify_change() for utimes(NULL)
2016-10-22 12:26:56 +02:00
xattr.c
getxattr: use correct xattr length
2018-09-09 20:04:36 +02:00