diff options
author | Jeremy Cline <jeremy@jcline.org> | 2018-01-12 11:07:47 -0500 |
---|---|---|
committer | Jeremy Cline <jeremy@jcline.org> | 2018-01-12 11:08:32 -0500 |
commit | d667ebc96e1833ef478b7769028a9a2074efbd7a (patch) | |
tree | c3046cca7d12fc62c06e19e395fa4230faf6edeb | |
parent | 2a754e66fc7f7e2a9f695ee7aac775bf11b51f12 (diff) | |
download | kernel-d667ebc96e1833ef478b7769028a9a2074efbd7a.tar.gz kernel-d667ebc96e1833ef478b7769028a9a2074efbd7a.tar.xz kernel-d667ebc96e1833ef478b7769028a9a2074efbd7a.zip |
Fix CVE-2018-5332 and CVE-2018-5333
-rw-r--r-- | RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch | 33 | ||||
-rw-r--r-- | RDS-null-pointer-dereference-in-rds_atomic_free_op.patch | 31 | ||||
-rw-r--r-- | kernel.spec | 8 |
3 files changed, 72 insertions, 0 deletions
diff --git a/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch b/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch new file mode 100644 index 000000000..fae1ffe53 --- /dev/null +++ b/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch @@ -0,0 +1,33 @@ +From c095508770aebf1b9218e77026e48345d719b17c Mon Sep 17 00:00:00 2001 +From: Mohamed Ghannam <simo.ghannam@gmail.com> +Date: Tue, 2 Jan 2018 19:44:34 +0000 +Subject: [PATCH] RDS: Heap OOB write in rds_message_alloc_sgs() + +When args->nr_local is 0, nr_pages gets also 0 due some size +calculation via rds_rm_size(), which is later used to allocate +pages for DMA, this bug produces a heap Out-Of-Bound write access +to a specific memory region. + +Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/rds/rdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rds/rdma.c b/net/rds/rdma.c +index bc2f1e0977d6..94729d9da437 100644 +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args) + + local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; + ++ if (args->nr_local == 0) ++ return -EINVAL; ++ + /* figure out the number of pages in the vector */ + for (i = 0; i < args->nr_local; i++) { + if (copy_from_user(&vec, &local_vec[i], +-- +2.15.1 + diff --git a/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch b/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch new file mode 100644 index 000000000..4317a1cf5 --- /dev/null +++ b/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch @@ -0,0 +1,31 @@ +From 7d11f77f84b27cef452cee332f4e469503084737 Mon Sep 17 00:00:00 2001 +From: Mohamed Ghannam <simo.ghannam@gmail.com> +Date: Wed, 3 Jan 2018 21:06:06 +0000 +Subject: [PATCH] RDS: null pointer dereference in rds_atomic_free_op + +set rm->atomic.op_active to 0 when rds_pin_pages() fails +or the user supplied address is invalid, +this prevents a NULL pointer usage in rds_atomic_free_op() + +Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> +Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/rds/rdma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/rds/rdma.c b/net/rds/rdma.c +index 94729d9da437..634cfcb7bba6 100644 +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -877,6 +877,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm, + err: + if (page) + put_page(page); ++ rm->atomic.op_active = 0; + kfree(rm->atomic.op_notifier); + + return ret; +-- +2.15.1 + diff --git a/kernel.spec b/kernel.spec index 0f3d656ab..b3df80523 100644 --- a/kernel.spec +++ b/kernel.spec @@ -636,6 +636,12 @@ Patch506: e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch # CVE-2018-5344 rhbz 1533909 1533911 Patch507: loop-fix-concurrent-lo_open-lo_release.patch +# CVE-2018-5332 rhbz 1533890 1533895 +Patch508: RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch + +# CVE-2018-5333 rhbz 1533891 1533895 +Patch509: RDS-null-pointer-dereference-in-rds_atomic_free_op.patch + # 550-600 Meltdown and Spectre Fixes Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch Patch551: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch @@ -2255,6 +2261,8 @@ fi %changelog * Fri Jan 12 2018 Jeremy Cline <jeremy@jcline.org> - Fix for CVE-2018-5344 (rhbz 1533909 1533911) +- Fix for CVE-2018-5332 (rhbz 1533890 1533895) +- Fix for CVE-2018-5333 (rhbz 1533891 1533895) * Wed Jan 10 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.13-200 - Linux v4.14.13 |