From b3c3282c259353564bbf355479e0d290306f397b Mon Sep 17 00:00:00 2001 From: Hanjie Lin Date: Wed, 19 Dec 2018 16:24:32 +0800 Subject: [PATCH] RAVENPLAT-310: Kernel components ext4 filesystem - CVE-2018-10880[1/1] PD#SWPL-15901 Problem: In ext4_xattr_make_inode_space of xattr.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is needed for exploitation. Solution: The fix is designed to never move system.data out of the inode. Platform: Raven Verify: Raven Change-Id: I0820e6e84c8a5ab7d40d14ce14c11f9f8e1f9503 Signed-off-by: Hanjie Lin --- fs/ext4/xattr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 8ac7c000a53f..32c52fc41c54 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1416,6 +1416,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode, last = IFIRST(header); /* Find the entry best suited to be pushed into EA block */ for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { + /* never move system.data out of the inode */ + if ((last->e_name_len == 4) && + (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && + !memcmp(last->e_name, "data", 4)) + continue; total_size = EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) + EXT4_XATTR_LEN(last->e_name_len);