[SRU][B/X][CVE-2018-10322][PATCH 0/1] xfs: enhance dinode verifier

[William Breathitt Gray]

SRU Justification
=================

[Impact]

The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the
Linux kernel through 4.16.3 allows local users to cause a denial of
service (xfs_ilock_attr_map_shared invalid pointer dereference) via a
crafted xfs image.

[Test Case]

The upstream bugzilla page provides a test case to check if a kernel is
affected by this issue:
<https://bugzilla.kernel.org/show_bug.cgi?id=199377>

- Overview
Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting
and operating a crafted xfs image

- Reproduce
# mkdir mnt
# mount -t xfs 120.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Reason
static int
xfs_xattr_get(const struct xattr_handler *handler, struct dentry *unused,
		struct inode *inode, const char *name, void *value, size_t size)
{
	int xflags = handler->flags;
	struct xfs_inode *ip = XFS_I(inode);
	int error, asize = size;

	/* Convert Linux syscall to XFS internal ATTR flags */
	if (!size) {
		xflags |= ATTR_KERNOVAL;
		value = NULL;
	}

	error = xfs_attr_get(ip, (unsigned char *)name, value, &asize, xflags);
	if (error)
		return error;
	return asize;
}

ip is invalid (0x8) returned from XFS_I.

[Regression Potential]

The upstream fix (commit b42db0860e13067fcc7cbfba3966c9e652668bbc)
expects the affected code in the xfs_inode_buf.c file, but the affected
code is in xfs_inode_fork.c file for the Bionic and Xenial kernels. This
is because there was a refactoring performed in commit
71493b839e294065ba63bd6f8d07263f3afee8c6 in order to reject bad inodes
earlier and in a single place. It is possible that waiting unti later to
reject these bad inodes could have a negative side effect.

Eric Sandeen (1):
  xfs: enhance dinode verifier

 fs/xfs/libxfs/xfs_inode_fork.c | 47 +++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

-- 
2.25.1