diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-15 10:12:36 +0200 |
|---|---|---|
| committer | Adrian Dudau <Adrian.Dudau@enea.com> | 2018-10-16 17:40:21 +0200 |
| commit | fef7211bf4e231920db714db7e298bcbaa9dad1f (patch) | |
| tree | 9047c41587a847351b74bed96fca9eaf9227e4f2 | |
| parent | ce810776fddc10b907aaa3555d43df21aec7e49d (diff) | |
| download | enea-kernel-cache-fef7211bf4e231920db714db7e298bcbaa9dad1f.tar.gz | |
jfs: CVE-2018-12233
jfs: Fix inconsistency between memory allocation and ea_buf->max_size
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=240d46556d5961c7100febbee0e058185b3c8d4f
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Change-Id: I5aa9f19c9e63cf4ea1f312f9ae6438f0f512977b
| -rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch | 48 |
2 files changed, 51 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 0840cbd..b5fb15d 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -40,3 +40,6 @@ patch CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch | |||
| 40 | 40 | ||
| 41 | #CVEs fixed in 4.9.116: | 41 | #CVEs fixed in 4.9.116: |
| 42 | patch CVE-2018-5390-tcp-free-batches-of-packets-in-tcp_prune_ofo_queue.patch | 42 | patch CVE-2018-5390-tcp-free-batches-of-packets-in-tcp_prune_ofo_queue.patch |
| 43 | |||
| 44 | #CVEs fixed in 4.9.119: | ||
| 45 | patch CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch | ||
diff --git a/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch new file mode 100644 index 0000000..4b4ce0e --- /dev/null +++ b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch | |||
| @@ -0,0 +1,48 @@ | |||
| 1 | From 92d34134193e5b129dc24f8d79cb9196626e8d7a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shankara Pailoor <shankarapailoor@gmail.com> | ||
| 3 | Date: Tue, 5 Jun 2018 08:33:27 -0500 | ||
| 4 | Subject: [PATCH] jfs: Fix inconsistency between memory allocation and | ||
| 5 | ea_buf->max_size | ||
| 6 | |||
| 7 | The code is assuming the buffer is max_size length, but we weren't | ||
| 8 | allocating enough space for it. | ||
| 9 | |||
| 10 | CVE: CVE-2018-12233 | ||
| 11 | Upstream-Status: Backport | ||
| 12 | |||
| 13 | Signed-off-by: Shankara Pailoor <shankarapailoor@gmail.com> | ||
| 14 | Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> | ||
| 15 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 16 | --- | ||
| 17 | fs/jfs/xattr.c | 10 ++++++---- | ||
| 18 | 1 file changed, 6 insertions(+), 4 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c | ||
| 21 | index c60f3d3..a679798 100644 | ||
| 22 | --- a/fs/jfs/xattr.c | ||
| 23 | +++ b/fs/jfs/xattr.c | ||
| 24 | @@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) | ||
| 25 | if (size > PSIZE) { | ||
| 26 | /* | ||
| 27 | * To keep the rest of the code simple. Allocate a | ||
| 28 | - * contiguous buffer to work with | ||
| 29 | + * contiguous buffer to work with. Make the buffer large | ||
| 30 | + * enough to make use of the whole extent. | ||
| 31 | */ | ||
| 32 | - ea_buf->xattr = kmalloc(size, GFP_KERNEL); | ||
| 33 | + ea_buf->max_size = (size + sb->s_blocksize - 1) & | ||
| 34 | + ~(sb->s_blocksize - 1); | ||
| 35 | + | ||
| 36 | + ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL); | ||
| 37 | if (ea_buf->xattr == NULL) | ||
| 38 | return -ENOMEM; | ||
| 39 | |||
| 40 | ea_buf->flag = EA_MALLOC; | ||
| 41 | - ea_buf->max_size = (size + sb->s_blocksize - 1) & | ||
| 42 | - ~(sb->s_blocksize - 1); | ||
| 43 | |||
| 44 | if (ea_size == 0) | ||
| 45 | return 0; | ||
| 46 | -- | ||
| 47 | |||
| 48 | |||