On Fri, Jan 31, 2020 at 09:06:01PM -0800, Zubin Mithra wrote: > From: Theodore Ts'o <tytso@xxxxxxx> > > commit 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 upstream. > > Instead of setting s_want_extra_size and then making sure that it is a > valid value afterwards, validate the field before we set it. This > avoids races and other problems when remounting the file system. > > Link: https://lore.kernel.org/r/20191215063020.GA11512@xxxxxxx > Cc: stable@xxxxxxxxxx > Signed-off-by: Theodore Ts'o <tytso@xxxxxxx> > Reported-and-tested-by: syzbot+4a39a025912b265cacef@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx> > --- > Notes: > * Syzkaller triggered a UAF on 4.19 kernels with the following > stacktrace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xc8/0x129 lib/dump_stack.c:113 > print_address_description+0x67/0x22a mm/kasan/report.c:256 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report mm/kasan/report.c:412 [inline] > kasan_report+0x251/0x28f mm/kasan/report.c:396 > ext4_xattr_set_entry+0x45e/0x2222 fs/ext4/xattr.c:1604 > ext4_xattr_ibody_set+0x7d/0x226 fs/ext4/xattr.c:2240 > ext4_xattr_set_handle+0x553/0xa92 fs/ext4/xattr.c:2396 > ext4_xattr_set+0x16a/0x200 fs/ext4/xattr.c:2508 > __vfs_setxattr+0xfc/0x13d fs/xattr.c:149 > __vfs_setxattr_noperm+0xf5/0x19c fs/xattr.c:180 > vfs_setxattr+0x9c/0xca fs/xattr.c:223 > setxattr+0x20e/0x275 fs/xattr.c:450 > path_setxattr+0xca/0x144 fs/xattr.c:469 > __do_sys_lsetxattr fs/xattr.c:491 [inline] > __se_sys_lsetxattr fs/xattr.c:487 [inline] > __x64_sys_lsetxattr+0xd7/0xe1 fs/xattr.c:487 > do_syscall_64+0xfe/0x137 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > * This commit is present in linux-5.4.y. A backport for 4.14.y has been > sent separately. Many thanks for this and the 4.14.y backport, now both applied. greg k-h
