Fix CVE-2019-12378 CVE-2019-3846 CVE-2019-12380 CVE-2019-12381 CVE-2019-12382 CVE-2019-12379

7 files changed, 491 insertions, 0 deletions

diff --git a/0001-efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch b/0001-efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch
new file mode 100644
index 000000000..8a773a84c
--- /dev/null
+++ b/0001-efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch
@@ -0,0 +1,87 @@
+From 4e78921ba4dd0aca1cc89168f45039add4183f8e Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Sat, 25 May 2019 13:25:58 +0200
+Subject: [PATCH] efi/x86/Add missing error handling to old_memmap 1:1 mapping
+ code
+
+The old_memmap flow in efi_call_phys_prolog() performs numerous memory
+allocations, and either does not check for failure at all, or it does
+but fails to propagate it back to the caller, which may end up calling
+into the firmware with an incomplete 1:1 mapping.
+
+So let's fix this by returning NULL from efi_call_phys_prolog() on
+memory allocation failures only, and by handling this condition in the
+caller. Also, clean up any half baked sets of page tables that we may
+have created before returning with a NULL return value.
+
+Note that any failure at this level will trigger a panic() two levels
+up, so none of this makes a huge difference, but it is a nice cleanup
+nonetheless.
+
+[ardb: update commit log, add efi_call_phys_epilog() call on error path]
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rob Bradford <robert.bradford@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20190525112559.7917-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/platform/efi/efi.c    | 2 ++
+ arch/x86/platform/efi/efi_64.c | 9 ++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index e1cb01a22fa8..a7189a3b4d70 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -85,6 +85,8 @@ static efi_status_t __init phys_efi_set_virtual_address_map(
+ 	pgd_t *save_pgd;
+
+ 	save_pgd = efi_call_phys_prolog();
++	if (!save_pgd)
++		return EFI_ABORTED;
+
+ 	/* Disable interrupts around EFI calls: */
+ 	local_irq_save(flags);
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
+index cf0347f61b21..08ce8177c3af 100644
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -84,13 +84,15 @@ pgd_t * __init efi_call_phys_prolog(void)
+
+ 	if (!efi_enabled(EFI_OLD_MEMMAP)) {
+ 		efi_switch_mm(&efi_mm);
+-		return NULL;
++		return efi_mm.pgd;
+ 	}
+
+ 	early_code_mapping_set_exec(1);
+
+ 	n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
+ 	save_pgd = kmalloc_array(n_pgds, sizeof(*save_pgd), GFP_KERNEL);
++	if (!save_pgd)
++		return NULL;
+
+ 	/*
+ 	 * Build 1:1 identity mapping for efi=old_map usage. Note that
+@@ -138,10 +140,11 @@ pgd_t * __init efi_call_phys_prolog(void)
+ 		pgd_offset_k(pgd * PGDIR_SIZE)->pgd &= ~_PAGE_NX;
+ 	}
+
+-out:
+ 	__flush_tlb_all();
+-
+ 	return save_pgd;
++out:
++	efi_call_phys_epilog(save_pgd);
++	return NULL;
+ }
+
+ void __init efi_call_phys_epilog(pgd_t *save_pgd)
+-- 
+2.21.0
+
diff --git a/0001-ip_sockglue-Fix-missing-check-bug-in-ip_ra_control.patch b/0001-ip_sockglue-Fix-missing-check-bug-in-ip_ra_control.patch
new file mode 100644
index 000000000..de07ef732
--- /dev/null
+++ b/0001-ip_sockglue-Fix-missing-check-bug-in-ip_ra_control.patch
@@ -0,0 +1,33 @@
+From 425aa0e1d01513437668fa3d4a971168bbaa8515 Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Fri, 24 May 2019 11:24:26 +0800
+Subject: [PATCH] ip_sockglue: Fix missing-check bug in ip_ra_control()
+
+In function ip_ra_control(), the pointer new_ra is allocated a memory
+space via kmalloc(). And it is used in the following codes. However,
+when  there is a memory allocation error, kmalloc() fails. Thus null
+pointer dereference may happen. And it will cause the kernel to crash.
+Therefore, we should check the return value and handle the error.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/ip_sockglue.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 82f341e84fae..aa3fd61818c4 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -343,6 +343,8 @@ int ip_ra_control(struct sock *sk, unsigned char on,
+ 		return -EINVAL;
+
+ 	new_ra = on ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
++	if (on && !new_ra)
++		return -ENOMEM;
+
+ 	mutex_lock(&net->ipv4.ra_mutex);
+ 	for (rap = &net->ipv4.ra_chain;
+-- 
+2.21.0
+
diff --git a/Buffer-overflow-read-checks-in-mwifiex.patch b/Buffer-overflow-read-checks-in-mwifiex.patch
new file mode 100644
index 000000000..00ae1fa9c
--- /dev/null
+++ b/Buffer-overflow-read-checks-in-mwifiex.patch
@@ -0,0 +1,238 @@
+From patchwork Wed May 29 12:52:19 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
+X-Patchwork-Id: 10967049
+X-Patchwork-Delegate: kvalo@adurom.com
+Return-Path: <linux-wireless-owner@kernel.org>
+Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
+ [172.30.200.125])
+	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3C6B01575
+	for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Wed, 29 May 2019 12:52:41 +0000 (UTC)
+Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FD42287D4
+	for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Wed, 29 May 2019 12:52:41 +0000 (UTC)
+Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
+	id 2E25D2897A; Wed, 29 May 2019 12:52:41 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
+	pdx-wl-mail.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
+	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A60B52895F
+	for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Wed, 29 May 2019 12:52:40 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1727034AbfE2Mwk (ORCPT
+        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
+        Wed, 29 May 2019 08:52:40 -0400
+Received: from mx2.suse.de ([195.135.220.15]:33780 "EHLO mx1.suse.de"
+        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
+        id S1725936AbfE2Mwj (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
+        Wed, 29 May 2019 08:52:39 -0400
+X-Virus-Scanned: by amavisd-new at test-mx.suse.de
+Received: from relay2.suse.de (unknown [195.135.220.254])
+        by mx1.suse.de (Postfix) with ESMTP id EA4CCB00B;
+        Wed, 29 May 2019 12:52:37 +0000 (UTC)
+From: Takashi Iwai <tiwai@suse.de>
+To: linux-wireless@vger.kernel.org
+Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
+        Nishant Sarmukadam <nishants@marvell.com>,
+        Ganapathi Bhat <gbhat@marvell.com>,
+        Xinming Hu <huxinming820@gmail.com>,
+        Kalle Valo <kvalo@codeaurora.org>, huangwen@venustech.com.cn,
+        Solar Designer <solar@openwall.com>,
+        Marcus Meissner <meissner@suse.de>
+Subject: [PATCH 1/2] mwifiex: Fix possible buffer overflows at parsing bss
+ descriptor
+Date: Wed, 29 May 2019 14:52:19 +0200
+Message-Id: <20190529125220.17066-2-tiwai@suse.de>
+X-Mailer: git-send-email 2.16.4
+In-Reply-To: <20190529125220.17066-1-tiwai@suse.de>
+References: <20190529125220.17066-1-tiwai@suse.de>
+Sender: linux-wireless-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+X-Virus-Scanned: ClamAV using ClamSMTP
+
+mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
+a couple places without checking the destination size.  Since the
+source is given from user-space, this may trigger a heap buffer
+overflow.
+
+Fix it by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-3846.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 935778ec9a1b..64ab6fe78c0d 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 		}
+ 		switch (element_id) {
+ 		case WLAN_EID_SSID:
++			if (element_len > IEEE80211_MAX_SSID_LEN)
++				return -EINVAL;
+ 			bss_entry->ssid.ssid_len = element_len;
+ 			memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
+ 			       element_len);
+@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_SUPP_RATES:
++			if (element_len > MWIFIEX_SUPPORTED_RATES)
++				return -EINVAL;
+ 			memcpy(bss_entry->data_rates, current_ptr + 2,
+ 			       element_len);
+ 			memcpy(bss_entry->supported_rates, current_ptr + 2,
+
+From patchwork Wed May 29 12:52:20 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
+X-Patchwork-Id: 10967047
+X-Patchwork-Delegate: kvalo@adurom.com
+Return-Path: <linux-wireless-owner@kernel.org>
+Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
+ [172.30.200.125])
+	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 05B0D92A
+	for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Wed, 29 May 2019 12:52:41 +0000 (UTC)
+Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB3CC28972
+	for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Wed, 29 May 2019 12:52:40 +0000 (UTC)
+Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
+	id DF23B28978; Wed, 29 May 2019 12:52:40 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
+	pdx-wl-mail.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
+	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8221B20121
+	for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Wed, 29 May 2019 12:52:40 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1727023AbfE2Mwj (ORCPT
+        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
+        Wed, 29 May 2019 08:52:39 -0400
+Received: from mx2.suse.de ([195.135.220.15]:33796 "EHLO mx1.suse.de"
+        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
+        id S1727017AbfE2Mwj (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
+        Wed, 29 May 2019 08:52:39 -0400
+X-Virus-Scanned: by amavisd-new at test-mx.suse.de
+Received: from relay2.suse.de (unknown [195.135.220.254])
+        by mx1.suse.de (Postfix) with ESMTP id 06E82B010;
+        Wed, 29 May 2019 12:52:38 +0000 (UTC)
+From: Takashi Iwai <tiwai@suse.de>
+To: linux-wireless@vger.kernel.org
+Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
+        Nishant Sarmukadam <nishants@marvell.com>,
+        Ganapathi Bhat <gbhat@marvell.com>,
+        Xinming Hu <huxinming820@gmail.com>,
+        Kalle Valo <kvalo@codeaurora.org>, huangwen@venustech.com.cn,
+        Solar Designer <solar@openwall.com>,
+        Marcus Meissner <meissner@suse.de>
+Subject: [PATCH 2/2] mwifiex: Abort at too short BSS descriptor element
+Date: Wed, 29 May 2019 14:52:20 +0200
+Message-Id: <20190529125220.17066-3-tiwai@suse.de>
+X-Mailer: git-send-email 2.16.4
+In-Reply-To: <20190529125220.17066-1-tiwai@suse.de>
+References: <20190529125220.17066-1-tiwai@suse.de>
+Sender: linux-wireless-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+X-Virus-Scanned: ClamAV using ClamSMTP
+
+Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
+the source descriptor entries contain the enough size for each type
+and performs copying without checking the source size.  This may lead
+to read over boundary.
+
+Fix this by putting the source size check in appropriate places.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 64ab6fe78c0d..c269a0de9413 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_FH_PARAMS:
++			if (element_len + 2 < sizeof(*fh_param_set))
++				return -EINVAL;
+ 			fh_param_set =
+ 				(struct ieee_types_fh_param_set *) current_ptr;
+ 			memcpy(&bss_entry->phy_param_set.fh_param_set,
+@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_DS_PARAMS:
++			if (element_len + 2 < sizeof(*ds_param_set))
++				return -EINVAL;
+ 			ds_param_set =
+ 				(struct ieee_types_ds_param_set *) current_ptr;
+ 
+@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_CF_PARAMS:
++			if (element_len + 2 < sizeof(*cf_param_set))
++				return -EINVAL;
+ 			cf_param_set =
+ 				(struct ieee_types_cf_param_set *) current_ptr;
+ 			memcpy(&bss_entry->ss_param_set.cf_param_set,
+@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_IBSS_PARAMS:
++			if (element_len + 2 < sizeof(*ibss_param_set))
++				return -EINVAL;
+ 			ibss_param_set =
+ 				(struct ieee_types_ibss_param_set *)
+ 				current_ptr;
+@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_ERP_INFO:
++			if (!element_len)
++				return -EINVAL;
+ 			bss_entry->erp_flags = *(current_ptr + 2);
+ 			break;
+ 
+ 		case WLAN_EID_PWR_CONSTRAINT:
++			if (!element_len)
++				return -EINVAL;
+ 			bss_entry->local_constraint = *(current_ptr + 2);
+ 			bss_entry->sensed_11h = true;
+ 			break;
+@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_VENDOR_SPECIFIC:
++			if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
++				return -EINVAL;
++
+ 			vendor_ie = (struct ieee_types_vendor_specific *)
+ 					current_ptr;
+ 
diff --git a/consolemap-fix-memory-leaking-bug.patch b/consolemap-fix-memory-leaking-bug.patch
new file mode 100644
index 000000000..04d16049a
--- /dev/null
+++ b/consolemap-fix-memory-leaking-bug.patch
@@ -0,0 +1,37 @@
+From 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Thu, 23 May 2019 08:34:52 +0800
+Subject: consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c
+
+In function con_insert_unipair(), when allocation for p2 and p1[n]
+fails, ENOMEM is returned, but previously allocated p1 is not freed,
+remains as leaking memory. Thus we should free p1 as well when this
+allocation fails.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/consolemap.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
+index b28aa0d289f8..79fcc96cc7c0 100644
+--- a/drivers/tty/vt/consolemap.c
++++ b/drivers/tty/vt/consolemap.c
+@@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
+ 	p2 = p1[n = (unicode >> 6) & 0x1f];
+ 	if (!p2) {
+ 		p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL);
+-		if (!p2) return -ENOMEM;
++		if (!p2) {
++			kfree(p1);
++			p->uni_pgdir[n] = NULL;
++			return -ENOMEM;
++		}
+ 		memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */
+ 	}
+ 
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/drm-edid-fix-missing-check-bug-in-drm_load_edid_firmware.patch b/drm-edid-fix-missing-check-bug-in-drm_load_edid_firmware.patch
new file mode 100644
index 000000000..a80a1a08e
--- /dev/null
+++ b/drm-edid-fix-missing-check-bug-in-drm_load_edid_firmware.patch
@@ -0,0 +1,37 @@
+From 9f1f1a2dab38d4ce87a13565cf4dc1b73bef3a5f Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Fri, 24 May 2019 10:32:22 +0800
+Subject: drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
+
+In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
+is dereferenced in the following codes. However, memory allocation
+functions such as kstrdup() may fail and returns NULL. Dereferencing
+this null pointer may cause the kernel go wrong. Thus we should check
+this kstrdup() operation.
+Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
+the caller site.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190524023222.GA5302@zhanggen-UX430UQ
+---
+ drivers/gpu/drm/drm_edid_load.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c
+index 18d52dc..2e8d043 100644
+--- a/drivers/gpu/drm/drm_edid_load.c
++++ b/drivers/gpu/drm/drm_edid_load.c
+@@ -293,6 +293,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector)
+ 	 * the last one found one as a fallback.
+ 	 */
+ 	fwstr = kstrdup(edid_firmware, GFP_KERNEL);
++	if (!fwstr)
++		return ERR_PTR(-ENOMEM);
+ 	edidstr = fwstr;
+ 
+ 	while ((edidname = strsep(&edidstr, ","))) {
+-- 
+cgit v1.1
+
diff --git a/ipv6_sockglue-fix-missing-check-bug-in-ip6_ra_control.patch b/ipv6_sockglue-fix-missing-check-bug-in-ip6_ra_control.patch
new file mode 100644
index 000000000..e17fc80a6
--- /dev/null
+++ b/ipv6_sockglue-fix-missing-check-bug-in-ip6_ra_control.patch
@@ -0,0 +1,33 @@
+From 95baa60a0da80a0143e3ddd4d3725758b4513825 Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Fri, 24 May 2019 11:19:46 +0800
+Subject: ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
+
+In function ip6_ra_control(), the pointer new_ra is allocated a memory
+space via kmalloc(). And it is used in the following codes. However,
+when there is a memory allocation error, kmalloc() fails. Thus null
+pointer dereference may happen. And it will cause the kernel to crash.
+Therefore, we should check the return value and handle the error.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/ipv6_sockglue.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 40f21fef25ff..0a3d035feb61 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int sel)
+ 		return -ENOPROTOOPT;
+ 
+ 	new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
++	if (sel >= 0 && !new_ra)
++		return -ENOMEM;
+ 
+ 	write_lock_bh(&ip6_ra_lock);
+ 	for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/kernel.spec b/kernel.spec
index 5a18ca480..01489c47a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -589,6 +589,24 @@ Patch526: 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch
 # https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@holtmann.org/
 Patch527: Bluetooth-Check-key-sizes-only-when-Secure-Simple-Pa.patch
 
+# CVE-2019-12378 rhbz 1715459 1715460
+Patch528: ipv6_sockglue-fix-missing-check-bug-in-ip6_ra_control.patch
+
+# CVE-2019-3846 rhbz 1713059 1715475
+Patch529: Buffer-overflow-read-checks-in-mwifiex.patch
+
+# CVE-2019-12380 rhbz 1715494 1715495
+Patch530: 0001-efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch
+
+# CVE-2019-12381 rhbz 1715501 1715502
+Patch531: 0001-ip_sockglue-Fix-missing-check-bug-in-ip_ra_control.patch
+
+# CVE-2019-12382 rhbz 1715554 1715556
+Patch532: drm-edid-fix-missing-check-bug-in-drm_load_edid_firmware.patch
+
+# CVE-2019-12379 rhbz 1715491 1715706
+Patch533: consolemap-fix-memory-leaking-bug.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1827,6 +1845,14 @@ fi
 #
 #
 %changelog
+* Mon Jun 03 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-12378 (rhbz 1715459 1715460)
+- Fix CVE-2019-3846 (rhbz 1713059 1715475)
+- Fix CVE-2019-12380 (rhbz 1715494 1715495)
+- Fix CVE-2019-12381 (rhbz 1715501 1715502)
+- Fix CVE-2019-12382 (rhbz 1715554 1715556)
+- Fix CVE-2019-12379 (rhbz 1715491 1715706)
+
 * Fri May 31 2019 Laura Abbott <labbott@redhat.com> - 5.1.6-300
 - Linux v5.1.6