[SRU][B/X][CVE-2018-10322][PATCH 0/1] xfs: enhance dinode verifier

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Tue Sep 1 18:03:27 UTC 2020 

On Tue, Sep 01, 2020 at 12:57:08PM -0400, William Breathitt Gray wrote:
> SRU Justification
> =================
> 
> [Impact]
> 
> The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the
> Linux kernel through 4.16.3 allows local users to cause a denial of
> service (xfs_ilock_attr_map_shared invalid pointer dereference) via a
> crafted xfs image.
> 
> [Test Case]
> 
> The upstream bugzilla page provides a test case to check if a kernel is
> affected by this issue:
> <https://bugzilla.kernel.org/show_bug.cgi?id=199377>
> 
> - Overview
> Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting
> and operating a crafted xfs image
> 
> - Reproduce
> # mkdir mnt
> # mount -t xfs 120.img mnt
> # gcc -o poc poc.c
> # ./poc ./mnt
> 
> - Reason
> static int
> xfs_xattr_get(const struct xattr_handler *handler, struct dentry *unused,
> 		struct inode *inode, const char *name, void *value, size_t size)
> {
> 	int xflags = handler->flags;
> 	struct xfs_inode *ip = XFS_I(inode);
> 	int error, asize = size;
> 
> 	/* Convert Linux syscall to XFS internal ATTR flags */
> 	if (!size) {
> 		xflags |= ATTR_KERNOVAL;
> 		value = NULL;
> 	}
> 
> 	error = xfs_attr_get(ip, (unsigned char *)name, value, &asize, xflags);
> 	if (error)
> 		return error;
> 	return asize;
> }
> 
> ip is invalid (0x8) returned from XFS_I.
> 
> [Regression Potential]
> 
> The upstream fix (commit b42db0860e13067fcc7cbfba3966c9e652668bbc)
> expects the affected code in the xfs_inode_buf.c file, but the affected
> code is in xfs_inode_fork.c file for the Bionic and Xenial kernels. This
> is because there was a refactoring performed in commit
> 71493b839e294065ba63bd6f8d07263f3afee8c6 in order to reject bad inodes
> earlier and in a single place. It is possible that waiting unti later to
> reject these bad inodes could have a negative side effect.

How hard it is to backport 71493b839e294065ba63bd6f8d07263f3afee8c6 to Bionic
and Xenial? And are there any fixups for that commit that we would rather
include?

Cascardo.

> 
> Eric Sandeen (1):
>   xfs: enhance dinode verifier
> 
>  fs/xfs/libxfs/xfs_inode_fork.c | 47 +++++++++++++++++++++++++++++++++-
>  1 file changed, 46 insertions(+), 1 deletion(-)
> 
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list