ext4: do not allow external inodes for inline data

The inline data feature was implemented before we added support for
external inodes for xattrs.  It makes no sense to support that
combination, but the problem is that there are a number of extended
attribute checks that are skipped if e_value_inum is non-zero.

Unfortunately, the inline data code is completely e_value_inum
unaware, and attempts to interpret the xattr fields as if it were an
inline xattr --- at which point, Hilarty Ensues.

This addresses CVE-2018-11412.

https://bugzilla.kernel.org/show_bug.cgi?id=199803

Reported-by: Jann Horn <jannh@google.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Cc: stable@kernel.org

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 70cf4c7b268a36136ba8883dae16c7a8266805e5..44b4fcdc3755c06ef134754a36ef364b3b93dc17 100644 (file)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct inode *inode)
                goto out;
 
        if (!is.s.not_found) {
+               if (is.s.here->e_value_inum) {
+                       EXT4_ERROR_INODE(inode, "inline data xattr refers "
+                                        "to an external xattr inode");
+                       error = -EFSCORRUPTED;
+                       goto out;
+               }
                EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
                                        (void *)ext4_raw_inode(&is.iloc));
                EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +