2 files changed, 43 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index cf11548..8e6776b 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -54,3 +54,6 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
 #CVEs fixed in 4.9.128:
 patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
+#CVEs fixed in 4.9.138:
+patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
diff --git a/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch b/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
new file mode 100644
index 0000000..06940c5
--- /dev/null
+++ b/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
@@ -0,0 +1,40 @@
+From 7291d95a97fc89044301b197c760555e894e82c7 Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Thu, 8 Nov 2018 11:11:36 -0500
+Subject: [PATCH] nfsd: COPY and CLONE operations require the saved filehandle
+ to be set
+commit 01310bb7c9c98752cc763b36532fab028e0f8f81 upstream.
+Make sure we have a saved filehandle, otherwise we'll oops with a null
+pointer dereference in nfs4_preprocess_stateid_op().
+CVE: CVE-2018-16871
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7291d95a97fc89044301b197c760555e894e82c7]
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/nfsd/nfs4proc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index e9495516527d..66985a6a7047 100644
+--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
+@@ -1016,6 +1016,9 @@ nfsd4_verify_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ {
+        __be32 status;
+ 
+       if (!cstate->save_fh.fh_dentry)
+               return nfserr_nofilehandle;
+
+        status = nfs4_preprocess_stateid_op(rqstp, cstate, &cstate->save_fh,
+                                            src_stateid, RD_STATE, src, NULL);
+        if (status) {
+-- 
+2.20.1

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index cf11548..8e6776b 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -54,3 +54,6 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
54		54
55	#CVEs fixed in 4.9.128:	55	#CVEs fixed in 4.9.128:
56	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch	56	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
		57
		58	#CVEs fixed in 4.9.138:
		59	patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch


diff --git a/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch b/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch new file mode 100644 index 0000000..06940c5 --- /dev/null +++ b/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
@@ -0,0 +1,40 @@
		1	From 7291d95a97fc89044301b197c760555e894e82c7 Mon Sep 17 00:00:00 2001
		2	From: Scott Mayhew <smayhew@redhat.com>
		3	Date: Thu, 8 Nov 2018 11:11:36 -0500
		4	Subject: [PATCH] nfsd: COPY and CLONE operations require the saved filehandle
		5	to be set
		6
		7	commit 01310bb7c9c98752cc763b36532fab028e0f8f81 upstream.
		8
		9	Make sure we have a saved filehandle, otherwise we'll oops with a null
		10	pointer dereference in nfs4_preprocess_stateid_op().
		11
		12	CVE: CVE-2018-16871
		13	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7291d95a97fc89044301b197c760555e894e82c7]
		14
		15	Signed-off-by: Scott Mayhew <smayhew@redhat.com>
		16	Cc: stable@vger.kernel.org
		17	Signed-off-by: J. Bruce Fields <bfields@redhat.com>
		18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		19	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		20	---
		21	fs/nfsd/nfs4proc.c \| 3 +++
		22	1 file changed, 3 insertions(+)
		23
		24	diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
		25	index e9495516527d..66985a6a7047 100644
		26	--- a/fs/nfsd/nfs4proc.c
		27	+++ b/fs/nfsd/nfs4proc.c
		28	@@ -1016,6 +1016,9 @@ nfsd4_verify_copy(struct svc_rqst rqstp, struct nfsd4_compound_state cstate,
		29	{
		30	__be32 status;
		31
		32	+ if (!cstate->save_fh.fh_dentry)
		33	+ return nfserr_nofilehandle;
		34	+
		35	status = nfs4_preprocess_stateid_op(rqstp, cstate, &cstate->save_fh,
		36	src_stateid, RD_STATE, src, NULL);
		37	if (status) {
		38	--
		39	2.20.1
		40