Fix CVE-2018-5332 and CVE-2018-5333

3 files changed, 72 insertions, 0 deletions

diff --git a/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch b/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
new file mode 100644
index 000000000..fae1ffe53
--- /dev/null
+++ b/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
@@ -0,0 +1,33 @@
+From c095508770aebf1b9218e77026e48345d719b17c Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 2 Jan 2018 19:44:34 +0000
+Subject: [PATCH] RDS: Heap OOB write in rds_message_alloc_sgs()
+
+When args->nr_local is 0, nr_pages gets also 0 due some size
+calculation via rds_rm_size(), which is later used to allocate
+pages for DMA, this bug produces a heap Out-Of-Bound write access
+to a specific memory region.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/rds/rdma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index bc2f1e0977d6..94729d9da437 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
+ 
+ 	local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
+ 
++	if (args->nr_local == 0)
++		return -EINVAL;
++
+ 	/* figure out the number of pages in the vector */
+ 	for (i = 0; i < args->nr_local; i++) {
+ 		if (copy_from_user(&vec, &local_vec[i],
+-- 
+2.15.1
+
diff --git a/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch b/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
new file mode 100644
index 000000000..4317a1cf5
--- /dev/null
+++ b/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
@@ -0,0 +1,31 @@
+From 7d11f77f84b27cef452cee332f4e469503084737 Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Wed, 3 Jan 2018 21:06:06 +0000
+Subject: [PATCH] RDS: null pointer dereference in rds_atomic_free_op
+
+set rm->atomic.op_active to 0 when rds_pin_pages() fails
+or the user supplied address is invalid,
+this prevents a NULL pointer usage in rds_atomic_free_op()
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/rds/rdma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index 94729d9da437..634cfcb7bba6 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -877,6 +877,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
+ err:
+ 	if (page)
+ 		put_page(page);
++	rm->atomic.op_active = 0;
+ 	kfree(rm->atomic.op_notifier);
+ 
+ 	return ret;
+-- 
+2.15.1
+
diff --git a/kernel.spec b/kernel.spec
index b4be63267..490bb4576 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -647,6 +647,12 @@ Patch506: e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
 # CVE-2018-5344 rhbz 1533909 1533911
 Patch507: loop-fix-concurrent-lo_open-lo_release.patch
 
+# CVE-2018-5332 rhbz 1533890 1533895
+Patch508: RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
+
+# CVE-2018-5333 rhbz 1533891 1533895
+Patch509: RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
+
 # 550-600 Meltdown and Spectre Fixes
 Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch
 Patch551: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
@@ -2248,6 +2254,8 @@ fi
 %changelog
 * Fri Jan 12 2018 Jeremy Cline <jeremy@jcline.org>
 - Fix for CVE-2018-5344 (rhbz 1533909 1533911)
+- Fix for CVE-2018-5332 (rhbz 1533890 1533895)
+- Fix for CVE-2018-5333 (rhbz 1533891 1533895)
 
 * Wed Jan 10 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.13-300
 - Linux v4.14.13