diff options
author | Jeremy Cline <jcline@redhat.com> | 2018-06-28 09:23:57 -0400 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2018-06-28 09:26:53 -0400 |
commit | cbe47dcd6f8bac735325796b43f27d07555e1d89 (patch) | |
tree | ce0a3193773144518eabed9bdd20576456e9cd1a | |
parent | 4342af80cf699246191c0d53ec2c4d529cece4d2 (diff) | |
download | kernel-cbe47dcd6f8bac735325796b43f27d07555e1d89.tar.gz kernel-cbe47dcd6f8bac735325796b43f27d07555e1d89.tar.xz kernel-cbe47dcd6f8bac735325796b43f27d07555e1d89.zip |
Fix CVE-2018-12714 (rhbz 1595835 1595837)
-rw-r--r-- | CVE-2018-12714.patch | 64 | ||||
-rw-r--r-- | kernel.spec | 6 |
2 files changed, 70 insertions, 0 deletions
diff --git a/CVE-2018-12714.patch b/CVE-2018-12714.patch new file mode 100644 index 000000000..d3df531bb --- /dev/null +++ b/CVE-2018-12714.patch @@ -0,0 +1,64 @@ +From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Thu, 21 Jun 2018 13:20:53 -0400 +Subject: [PATCH] tracing: Check for no filter when processing event filters + +The syzkaller detected a out-of-bounds issue with the events filter code, +specifically here: + + prog[N].pred = NULL; /* #13 */ + prog[N].target = 1; /* TRUE */ + prog[N+1].pred = NULL; + prog[N+1].target = 0; /* FALSE */ +-> prog[N-1].target = N; + prog[N-1].when_to_branch = false; + +As that's the first reference to a "N-1" index, it appears that the code got +here with N = 0, which means the filter parser found no filter to parse +(which shouldn't ever happen, but apparently it did). + +Add a new error to the parsing code that will check to make sure that N is +not zero before going into this part of the code. If N = 0, then -EINVAL is +returned, and a error message is added to the filter. + +Cc: stable@vger.kernel.org +Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") +Reported-by: air icy <icytxw@gmail.com> +bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019 +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + kernel/trace/trace_events_filter.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c +index e1c818dbc0d7..0dceb77d1d42 100644 +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -78,7 +78,8 @@ static const char * ops[] = { OPS }; + C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \ + C(INVALID_FILTER, "Meaningless filter expression"), \ + C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \ +- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), ++ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \ ++ C(NO_FILTER, "No filter found"), + + #undef C + #define C(a, b) FILT_ERR_##a +@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, + goto out_free; + } + ++ if (!N) { ++ /* No program? */ ++ ret = -EINVAL; ++ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str); ++ goto out_free; ++ } ++ + prog[N].pred = NULL; /* #13 */ + prog[N].target = 1; /* TRUE */ + prog[N+1].pred = NULL; +-- +2.17.1 + diff --git a/kernel.spec b/kernel.spec index 79cae2b73..8e58fea81 100644 --- a/kernel.spec +++ b/kernel.spec @@ -657,6 +657,9 @@ Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch # rhbz 1591516 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch +# CVE-2018-12714 rhbz 1595835 1595837 +Patch516: CVE-2018-12714.patch + # END OF PATCH DEFINITIONS %endif @@ -1906,6 +1909,9 @@ fi # # %changelog +* Thu Jun 28 2018 Jeremy Cline <jeremy@jcline.org> +- Fix CVE-2018-12714 (rhbz 1595835 1595837) + * Tue Jun 26 2018 Jeremy Cline <jcline@redhat.com> - 4.17.3-100 - Linux v4.17.3 - Don't log an error if RTC_NVMEM isn't enabled (rhbz 1568276) |