Fix CVE-2018-10322 CVE-2018-10323

3 files changed, 127 insertions, 0 deletions

diff --git a/0001-xfs-enhance-dinode-verifier.patch b/0001-xfs-enhance-dinode-verifier.patch
new file mode 100644
index 000000000..230e79387
--- /dev/null
+++ b/0001-xfs-enhance-dinode-verifier.patch
@@ -0,0 +1,72 @@
+From b42db0860e13067fcc7cbfba3966c9e652668bbc Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@sandeen.net>
+Date: Mon, 16 Apr 2018 23:06:53 -0700
+Subject: [PATCH] xfs: enhance dinode verifier
+
+Add several more validations to xfs_dinode_verify:
+
+- For LOCAL data fork formats, di_nextents must be 0.
+- For LOCAL attr fork formats, di_anextents must be 0.
+- For inodes with no attr fork offset,
+  - format must be XFS_DINODE_FMT_EXTENTS if set at all
+  - di_anextents must be 0.
+
+Thanks to dchinner for pointing out a couple related checks I had
+forgotten to add.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199377
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+---
+ fs/xfs/libxfs/xfs_inode_buf.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
+index ef68b1de006a..1201107eabc6 100644
+--- a/fs/xfs/libxfs/xfs_inode_buf.c
++++ b/fs/xfs/libxfs/xfs_inode_buf.c
+@@ -466,6 +466,8 @@ xfs_dinode_verify(
+ 				return __this_address;
+ 			if (di_size > XFS_DFORK_DSIZE(dip, mp))
+ 				return __this_address;
++			if (dip->di_nextents)
++				return __this_address;
+ 			/* fall through */
+ 		case XFS_DINODE_FMT_EXTENTS:
+ 		case XFS_DINODE_FMT_BTREE:
+@@ -484,12 +486,31 @@ xfs_dinode_verify(
+ 	if (XFS_DFORK_Q(dip)) {
+ 		switch (dip->di_aformat) {
+ 		case XFS_DINODE_FMT_LOCAL:
++			if (dip->di_anextents)
++				return __this_address;
++		/* fall through */
+ 		case XFS_DINODE_FMT_EXTENTS:
+ 		case XFS_DINODE_FMT_BTREE:
+ 			break;
+ 		default:
+ 			return __this_address;
+ 		}
++	} else {
++		/*
++		 * If there is no fork offset, this may be a freshly-made inode
++		 * in a new disk cluster, in which case di_aformat is zeroed.
++		 * Otherwise, such an inode must be in EXTENTS format; this goes
++		 * for freed inodes as well.
++		 */
++		switch (dip->di_aformat) {
++		case 0:
++		case XFS_DINODE_FMT_EXTENTS:
++			break;
++		default:
++			return __this_address;
++		}
++		if (dip->di_anextents)
++			return __this_address;
+ 	}
+
+ 	/* only version 3 or greater inodes are extensively verified here */
+-- 
+2.17.0
+
diff --git a/0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch b/0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
new file mode 100644
index 000000000..9c6814c65
--- /dev/null
+++ b/0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
@@ -0,0 +1,45 @@
+From 2c4306f719b083d17df2963bc761777576b8ad1b Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Mon, 16 Apr 2018 23:07:27 -0700
+Subject: [PATCH] xfs: set format back to extents if xfs_bmap_extents_to_btree
+
+If xfs_bmap_extents_to_btree fails in a mode where we call
+xfs_iroot_realloc(-1) to de-allocate the root, set the
+format back to extents.
+
+Otherwise we can assume we can dereference ifp->if_broot
+based on the XFS_DINODE_FMT_BTREE format, and crash.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+---
+ fs/xfs/libxfs/xfs_bmap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index 6a7c2f03ea11..040eeda8426f 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -725,12 +725,16 @@ xfs_bmap_extents_to_btree(
+ 	*logflagsp = 0;
+ 	if ((error = xfs_alloc_vextent(&args))) {
+ 		xfs_iroot_realloc(ip, -1, whichfork);
++		ASSERT(ifp->if_broot == NULL);
++		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
+ 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
+ 		return error;
+ 	}
+
+ 	if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
+ 		xfs_iroot_realloc(ip, -1, whichfork);
++		ASSERT(ifp->if_broot == NULL);
++		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
+ 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
+ 		return -ENOSPC;
+ 	}
+-- 
+2.17.0
+
diff --git a/kernel.spec b/kernel.spec
index c21cc1c53..af6dbc139 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -660,6 +660,12 @@ Patch508: Bluetooth-btusb-autosuspend-XPS-13-9360-fixes.patch
 # rhbz 1572944
 Patch509: Revert-the-random-series-for-4.16.4.patch
 
+# CVE-2018-10322 rhbz 1571623 1571624
+Patch510: 0001-xfs-enhance-dinode-verifier.patch
+
+# CVE-2018-10323 rhbz 1571627 1571630
+Patch511: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1912,6 +1918,10 @@ fi
 #
 #
 %changelog
+* Fri May 04 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-10322 (rhbz 1571623 1571624)
+- Fix CVE-2018-10323 (rhbz 1571627 1571630)
+
 * Wed May 02 2018 Jeremy Cline <jeremy@jcline.org> - 4.16.7-200
 - Linux v4.16.7