Merge remote-tracking branch 'origin/f27' into f27-user-thl-vanilla-fedora

3 files changed, 76 insertions, 32 deletions

diff --git a/arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch b/arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch
deleted file mode 100644
index 45941edd0..000000000
--- a/arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 7a2e67bfa5316e267e782477ec880e2464fd682a Mon Sep 17 00:00:00 2001
-From: Peter Robinson <pbrobinson@gmail.com>
-Date: Sun, 11 Feb 2018 21:28:41 +0000
-Subject: [PATCH] crypto: sunxi-ss: Add MODULE_ALIAS to sun4i-ss
-
-The MODULE_ALIAS is required to enable the sun4i-ss driver to load
-automatically when built at a module. Tested on a Cubietruck.
-
-Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
----
- drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
-index 1547cbe13dc2..a81d89b3b7d8 100644
---- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c
-+++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
-@@ -451,6 +451,7 @@ static struct platform_driver sun4i_ss_driver = {
- 
- module_platform_driver(sun4i_ss_driver);
- 
-+MODULE_ALIAS("platform:sun4i-ss");
- MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator");
- MODULE_LICENSE("GPL");
- MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@gmail.com>");
--- 
-2.14.3
-
diff --git a/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch b/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
new file mode 100644
index 000000000..6befea749
--- /dev/null
+++ b/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
@@ -0,0 +1,70 @@
+From e787b36fc8d972fa762ddc91062812c26e0331c0 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 23 May 2018 11:31:03 -0400
+Subject: [PATCH] ext4: correctly handle a zero-length xattr with a non-zero
+ e_value_offs
+
+Ext4 will always create ext4 extended attributes which do not have a
+value (where e_value_size is zero) with e_value_offs set to zero.  In
+most places e_value_offs will not be used in a substantive way if
+e_value_size is zero.
+
+There was one exception to this, which is in ext4_xattr_set_entry(),
+where if there is a maliciously crafted file system where there is an
+extended attribute with e_value_offs is non-zero and e_value_size is
+0, the attempt to remove this xattr will result in a negative value
+getting passed to memmove, leading to the following sadness:
+
+[   41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
+[   44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000
+[   44.538733] IP: __memmove+0x81/0x1a0
+[   44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1
+[   44.538793] Oops: 0003 [#1] SMP PTI
+[   44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1
+    ...
+[   44.539475] Call Trace:
+[   44.539832]  ext4_xattr_set_entry+0x9e7/0xf80
+    ...
+[   44.539972]  ext4_xattr_block_set+0x212/0xea0
+    ...
+[   44.540041]  ext4_xattr_set_handle+0x514/0x610
+[   44.540065]  ext4_xattr_set+0x7f/0x120
+[   44.540090]  __vfs_removexattr+0x4d/0x60
+[   44.540112]  vfs_removexattr+0x75/0xe0
+[   44.540132]  removexattr+0x4d/0x80
+    ...
+[   44.540279]  path_removexattr+0x91/0xb0
+[   44.540300]  SyS_removexattr+0xf/0x20
+[   44.540322]  do_syscall_64+0x71/0x120
+[   44.540344]  entry_SYSCALL_64_after_hwframe+0x21/0x86
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199347
+
+This addresses CVE-2018-10840.
+
+Reported-by: "Xu, Wen" <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication")
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ fs/ext4/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index 499cb4b1fbd2..fc4ced59c565 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
+ 
+ 	/* No failures allowed past this point. */
+ 
+-	if (!s->not_found && here->e_value_offs) {
++	if (!s->not_found && here->e_value_size && here->e_value_offs) {
+ 		/* Remove the old value. */
+ 		void *first_val = s->base + min_offs;
+ 		size_t offs = le16_to_cpu(here->e_value_offs);
+-- 
+2.17.0
+
diff --git a/kernel.spec b/kernel.spec
index 92509b8ff..2de3f03e0 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -604,9 +604,6 @@ Patch306: wcn36xx-Fix-firmware-crash-due-to-corrupted-buffer-address.patch
 # https://patchwork.kernel.org/patch/10245303/
 Patch307: wcn36xx-reduce-verbosity-of-drivers-messages.patch
 
-# https://www.spinics.net/lists/arm-kernel/msg632925.html
-Patch308: arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch
-
 # Fix USB on the RPi https://patchwork.kernel.org/patch/9879371/
 Patch309: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe.patch
 
@@ -689,6 +686,9 @@ Patch511: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
 # https://www.spinics.net/lists/linux-acpi/msg82405.html
 Patch512: mailbox-ACPI-erroneous-error-message-when-parsing-ACPI.patch
 
+# CVE-2018-10840 rhbz 1582346 1582348
+Patch513: ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1945,7 +1945,9 @@ fi
 #
 #
 %changelog
-* Fri May 25 2018 Jeremy Cline <jeremy@jcline.org>
+* Fri May 25 2018 Jeremy Cline <jcline@redhat.com> - 4.16.12-200
+- Linux v4.16.12
+- Fix CVE-2018-10840 (rhbz 1582346 1582348)
 - Fix for incorrect error message about parsing PCCT (rhbz 1435837)
 
 * Tue May 22 2018 Jeremy Cline <jcline@redhat.com> - 4.16.11-200