Bug 1090749 (CVE-2018-10322)

Summary: VUL-0: CVE-2018-10322: kernel-source: The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service(xfs_ilock_attr_map_shared invalid pointer dereference)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: jeffm, karol, lurodriguez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/204778/
Whiteboard: CVSSv3.1:SUSE:CVE-2018-10322:4.6:(AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: poc.c

Description Marcus Meissner 2018-04-24 15:46:34 UTC
CVE-2018-10322

The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux
kernel through 4.16.3 allows local users to cause a denial of service
(xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10322
https://www.spinics.net/lists/linux-xfs/msg17215.html
https://bugzilla.kernel.org/show_bug.cgi?id=199377
Comment 1 Marcus Meissner 2018-04-24 15:47:27 UTC
Created attachment 768143 [details]
poc.c

reproducer
Comment 3 Marcus Meissner 2018-05-30 13:11:15 UTC
mainline commit id b42db0860e13067fcc7cbfba3966c9e652668bbc
I think.
Comment 4 Luis Chamberlain 2018-06-01 17:44:53 UTC
(In reply to Marcus Meissner from comment #0)
> CVE-2018-10322
> 
> The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux
> kernel through 4.16.3 allows ...

I confirmed that poc is not effective on SLE12-SP2, SLE12-SP3, SLE15, and as such the only branch affected is the stable branch.

I pushed the fix to:

  * users/lurodriguez/stable/for-next

This is the only applicable branch.
Comment 5 Marcus Meissner 2018-06-02 07:55:44 UTC
done!