diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-22 11:28:11 +0200 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-22 12:51:22 +0200 |
| commit | 475fde15fe18086db2e036cb84d9e52c5e985168 (patch) | |
| tree | da0ff4810f97114a97588d3937d46d8b5aa66583 | |
| parent | 2f82420c0c5a92fcae68848dd03a4e05705edce4 (diff) | |
| download | enea-kernel-cache-475fde15fe18086db2e036cb84d9e52c5e985168.tar.gz | |
jfs: CVE-2018-12233
jfs: Fix inconsistency between memory allocation and ea_buf->max_size
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-12233
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7d29fb53439c8c91874550cc078eda6db8feafe7
Change-Id: I04e74887dc9a21408035615d93c6cfe6d26b3feb
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch new file mode 100644 index 0000000..29321c1 --- /dev/null +++ b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From 7d29fb53439c8c91874550cc078eda6db8feafe7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shankara Pailoor <shankarapailoor@gmail.com> | ||
| 3 | Date: Tue, 5 Jun 2018 08:33:27 -0500 | ||
| 4 | Subject: [PATCH] jfs: Fix inconsistency between memory allocation and | ||
| 5 | ea_buf->max_size | ||
| 6 | |||
| 7 | commit 92d34134193e5b129dc24f8d79cb9196626e8d7a upstream. | ||
| 8 | |||
| 9 | The code is assuming the buffer is max_size length, but we weren't | ||
| 10 | allocating enough space for it. | ||
| 11 | |||
| 12 | CVE: CVE-2018-12233 | ||
| 13 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7d29fb53439c8c91874550cc078eda6db8feafe7] | ||
| 14 | |||
| 15 | Signed-off-by: Shankara Pailoor <shankarapailoor@gmail.com> | ||
| 16 | Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> | ||
| 17 | Cc: Guenter Roeck <linux@roeck-us.net> | ||
| 18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 19 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 20 | --- | ||
| 21 | fs/jfs/xattr.c | 10 ++++++---- | ||
| 22 | 1 file changed, 6 insertions(+), 4 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c | ||
| 25 | index c60f3d32ee91..a6797986b625 100644 | ||
| 26 | --- a/fs/jfs/xattr.c | ||
| 27 | +++ b/fs/jfs/xattr.c | ||
| 28 | @@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) | ||
| 29 | if (size > PSIZE) { | ||
| 30 | /* | ||
| 31 | * To keep the rest of the code simple. Allocate a | ||
| 32 | - * contiguous buffer to work with | ||
| 33 | + * contiguous buffer to work with. Make the buffer large | ||
| 34 | + * enough to make use of the whole extent. | ||
| 35 | */ | ||
| 36 | - ea_buf->xattr = kmalloc(size, GFP_KERNEL); | ||
| 37 | + ea_buf->max_size = (size + sb->s_blocksize - 1) & | ||
| 38 | + ~(sb->s_blocksize - 1); | ||
| 39 | + | ||
| 40 | + ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL); | ||
| 41 | if (ea_buf->xattr == NULL) | ||
| 42 | return -ENOMEM; | ||
| 43 | |||
| 44 | ea_buf->flag = EA_MALLOC; | ||
| 45 | - ea_buf->max_size = (size + sb->s_blocksize - 1) & | ||
| 46 | - ~(sb->s_blocksize - 1); | ||
| 47 | |||
| 48 | if (ea_size == 0) | ||
| 49 | return 0; | ||
| 50 | -- | ||
| 51 | 2.20.1 | ||
| 52 | |||