Description: ext4: crafted image causes heap OOB write in ext4_xattr_set_entry
References:
 https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19319
Notes:
 carnil> Introduced in dec214d00e0d ("ext4: xattr inode deduplication")
 carnil> in 4.13-rc1? Cf.
 carnil> https://bugzilla.suse.com/show_bug.cgi?id=1158021#c2
 bwh> SUSE has backported the fix as far as 3.12. It turns out that
 bwh> they backported *part* of commit dec214d00e0d to fix CVE-2018-1094
 bwh> which I thought didn't affect older branches. See
 bwh> <https://github.com/openSUSE/kernel-source/blob/SLE12-SP4/patches.suse/ext4-make-metadata-csum-checks-safer.patch>
 bwh> and
 bwh> <https://github.com/openSUSE/kernel-source/blob/SLE12-SP4/patches.suse/ext4-protect-journal-inode-s-blocks-using-block_vali.patch>.
 bwh> So we should probably apply both of these to 3.16 and 4.9.
 bwh> Note the follow-up fixes: commits fbbbbd2f28aec, 170417c8c7bb,
 bwh> 0a944e8a6c66, af133ade9a40.
Bugs:
upstream: released (5.2-rc1) [345c0dbf3a30872d9b204db96b5857cd00808cae]
4.19-upstream-stable: released (4.19.73) [2fd4629de51974002f4e9cf1a35a1926dd6c9d99]
4.9-upstream-stable: released (4.9.221) [a9855260fe8d8680bf8c4f0d8303b696c861e99b]
3.16-upstream-stable: released (3.16.85) [51890201da4d654f6ca131bc45a0e892bb10de1d]
sid: released (5.2.6-1)
4.19-buster-security: released (4.19.87-1)
4.9-stretch-security: released (4.9.210-1+deb9u1) [bugfix/all/ext4-protect-journal-inode-s-blocks-using-block_vali.patch]
3.16-jessie-security: released (3.16.84-1) [bugfix/all/ext4-protect-journal-inode-s-blocks-using-block_vali.patch]