Fix CVE-2019-8980 (rhbz 1679972 1679974)

2 files changed, 100 insertions, 0 deletions

diff --git a/CVE-2019-8980.patch b/CVE-2019-8980.patch
new file mode 100644
index 000000000..e97fddb85
--- /dev/null
+++ b/CVE-2019-8980.patch
@@ -0,0 +1,94 @@
+From mboxrd@z Thu Jan  1 00:00:00 1970
+Return-Path: <SRS0=K7k5=Q2=vger.kernel.org=linux-kernel-owner@kernel.org>
+X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
+	aws-us-west-2-korg-lkml-1.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-9.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
+	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT
+	autolearn=ham autolearn_force=no version=3.4.0
+Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id 57E0EC43381
+	for <linux-kernel@archiver.kernel.org>; Tue, 19 Feb 2019 02:10:56 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.kernel.org (Postfix) with ESMTP id 2F614217F5
+	for <linux-kernel@archiver.kernel.org>; Tue, 19 Feb 2019 02:10:56 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1727560AbfBSCKy (ORCPT
+        <rfc822;linux-kernel@archiver.kernel.org>);
+        Mon, 18 Feb 2019 21:10:54 -0500
+Received: from szxga07-in.huawei.com ([45.249.212.35]:60042 "EHLO huawei.com"
+        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
+        id S1727030AbfBSCKx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
+        Mon, 18 Feb 2019 21:10:53 -0500
+Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.59])
+        by Forcepoint Email with ESMTP id C192C49B561BC8D7F47D;
+        Tue, 19 Feb 2019 10:10:51 +0800 (CST)
+Received: from localhost (10.177.31.96) by DGGEMS411-HUB.china.huawei.com
+ (10.3.19.211) with Microsoft SMTP Server id 14.3.408.0; Tue, 19 Feb 2019
+ 10:10:43 +0800
+From:   YueHaibing <yuehaibing@huawei.com>
+To:     <viro@zeniv.linux.org.uk>
+CC:     <linux-kernel@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>,
+        <dmitry.kasatkin@huawei.com>, <keescook@chromium.org>,
+        YueHaibing <yuehaibing@huawei.com>
+Subject: [PATCH -next] exec: Fix mem leak in kernel_read_file
+Date:   Tue, 19 Feb 2019 10:10:38 +0800
+Message-ID: <20190219021038.11340-1-yuehaibing@huawei.com>
+X-Mailer: git-send-email 2.10.2.windows.1
+MIME-Version: 1.0
+Content-Type: text/plain
+X-Originating-IP: [10.177.31.96]
+X-CFilter-Loop: Reflected
+Sender: linux-kernel-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+Archived-At: <https://lore.kernel.org/lkml/20190219021038.11340-1-yuehaibing@huawei.com/>
+List-Archive: <https://lore.kernel.org/lkml/>
+List-Post: <mailto:linux-kernel@vger.kernel.org>
+
+syzkaller report this:
+BUG: memory leak
+unreferenced object 0xffffc9000488d000 (size 9195520):
+  comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
+  hex dump (first 32 bytes):
+    ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
+    02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
+  backtrace:
+    [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
+    [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
+    [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
+    [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
+    [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
+    [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
+    [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+    [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+    [<00000000241f889b>] 0xffffffffffffffff
+
+It should goto 'out_free' lable to free allocated buf while kernel_read
+fails.
+
+Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 7a4b5ef..2e00333 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
+ 		bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
+ 		if (bytes < 0) {
+ 			ret = bytes;
+-			goto out;
++			goto out_free;
+ 		}
+ 
+ 		if (bytes == 0)
+-- 
+2.7.0
+
+
+
diff --git a/kernel.spec b/kernel.spec
index 1e2e86070..b93ad671e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -641,6 +641,9 @@ Patch508: 0001-drm-nouveau-register-backlight-on-pascal-and-newer.patch
 # CVE-2019-8912 rhbz 1678685 1678686
 Patch509: net-crypto-set-sk-to-NULL-when-af_alg_release.patch
 
+# CVE-2019-8980 rhbz 1679972 1679974
+Patch510: CVE-2019-8980.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1926,6 +1929,9 @@ fi
 #
 #
 %changelog
+* Fri Feb 22 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-8980 (rhbz 1679972 1679974)
+
 * Wed Feb 20 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.11-200
 - Linux v4.20.11