summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Cline <jcline@redhat.com>2018-06-28 09:23:57 -0400
committerJeremy Cline <jcline@redhat.com>2018-06-28 09:26:53 -0400
commitcbe47dcd6f8bac735325796b43f27d07555e1d89 (patch)
treece0a3193773144518eabed9bdd20576456e9cd1a
parent4342af80cf699246191c0d53ec2c4d529cece4d2 (diff)
downloadkernel-cbe47dcd6f8bac735325796b43f27d07555e1d89.tar.gz
kernel-cbe47dcd6f8bac735325796b43f27d07555e1d89.tar.xz
kernel-cbe47dcd6f8bac735325796b43f27d07555e1d89.zip
Fix CVE-2018-12714 (rhbz 1595835 1595837)
Diffstat
-rw-r--r--CVE-2018-12714.patch64
-rw-r--r--kernel.spec6
2 files changed, 70 insertions, 0 deletions
diff --git a/CVE-2018-12714.patch b/CVE-2018-12714.patch
new file mode 100644
index 000000000..d3df531bb
--- /dev/null
+++ b/CVE-2018-12714.patch
@@ -0,0 +1,64 @@
+From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 21 Jun 2018 13:20:53 -0400
+Subject: [PATCH] tracing: Check for no filter when processing event filters
+
+The syzkaller detected a out-of-bounds issue with the events filter code,
+specifically here:
+
+ prog[N].pred = NULL; /* #13 */
+ prog[N].target = 1; /* TRUE */
+ prog[N+1].pred = NULL;
+ prog[N+1].target = 0; /* FALSE */
+-> prog[N-1].target = N;
+ prog[N-1].when_to_branch = false;
+
+As that's the first reference to a "N-1" index, it appears that the code got
+here with N = 0, which means the filter parser found no filter to parse
+(which shouldn't ever happen, but apparently it did).
+
+Add a new error to the parsing code that will check to make sure that N is
+not zero before going into this part of the code. If N = 0, then -EINVAL is
+returned, and a error message is added to the filter.
+
+Cc: stable@vger.kernel.org
+Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
+Reported-by: air icy <icytxw@gmail.com>
+bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ kernel/trace/trace_events_filter.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
+index e1c818dbc0d7..0dceb77d1d42 100644
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
+ C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \
+ C(INVALID_FILTER, "Meaningless filter expression"), \
+ C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \
+- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"),
++ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \
++ C(NO_FILTER, "No filter found"),
+
+ #undef C
+ #define C(a, b) FILT_ERR_##a
+@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
+ goto out_free;
+ }
+
++ if (!N) {
++ /* No program? */
++ ret = -EINVAL;
++ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
++ goto out_free;
++ }
++
+ prog[N].pred = NULL; /* #13 */
+ prog[N].target = 1; /* TRUE */
+ prog[N+1].pred = NULL;
+--
+2.17.1
+
diff --git a/kernel.spec b/kernel.spec
index 79cae2b73..8e58fea81 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -657,6 +657,9 @@ Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
# rhbz 1591516
Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch
+# CVE-2018-12714 rhbz 1595835 1595837
+Patch516: CVE-2018-12714.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1906,6 +1909,9 @@ fi
#
#
%changelog
+* Thu Jun 28 2018 Jeremy Cline <jeremy@jcline.org>
+- Fix CVE-2018-12714 (rhbz 1595835 1595837)
+
* Tue Jun 26 2018 Jeremy Cline <jcline@redhat.com> - 4.17.3-100
- Linux v4.17.3
- Don't log an error if RTC_NVMEM isn't enabled (rhbz 1568276)
generated by cgit (git 2.34.1) at 2024-05-20 08:56:24 +0000