2 files changed, 53 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 58d731a..4a17a1b 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -66,3 +66,6 @@ patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
 #CVEs fixed in 4.9.151:
 patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
+#CVEs fixed in 4.9.162:
+patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
diff --git a/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
new file mode 100644
index 0000000..f709596
--- /dev/null
+++ b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
@@ -0,0 +1,50 @@
+From 331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Feb 2019 21:29:52 +0100
+Subject: [PATCH] mm: enforce min addr even if capable() in expand_downwards()
+commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
+security_mmap_addr() does a capability check with current_cred(), but
+we can reach this code from contexts like a VFS write handler where
+current_cred() must not be used.
+This can be abused on systems without SMAP to make NULL pointer
+dereferences exploitable again.
+CVE: CVE-2019-9213
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9]
+Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ mm/mmap.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 283755645d17..3f2314ad6acd 100644
+--- a/mm/mmap.c
+++ b/mm/mmap.c
+@@ -2345,12 +2345,11 @@ int expand_downwards(struct vm_area_struct *vma,
+        struct mm_struct *mm = vma->vm_mm;
+        struct vm_area_struct *prev;
+        unsigned long gap_addr;
+-       int error;
+       int error = 0;
+ 
+        address &= PAGE_MASK;
+-       error = security_mmap_addr(address);
+-       if (error)
+-               return error;
+       if (address < mmap_min_addr)
+               return -EPERM;
+ 
+        /* Enforce stack_guard_gap */
+        gap_addr = address - stack_guard_gap;
+-- 
+2.20.1

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 58d731a..4a17a1b 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -66,3 +66,6 @@ patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
66		66
67	#CVEs fixed in 4.9.151:	67	#CVEs fixed in 4.9.151:
68	patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch	68	patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
		69
		70	#CVEs fixed in 4.9.162:
		71	patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch


diff --git a/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch new file mode 100644 index 0000000..f709596 --- /dev/null +++ b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
@@ -0,0 +1,50 @@
		1	From 331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9 Mon Sep 17 00:00:00 2001
		2	From: Jann Horn <jannh@google.com>
		3	Date: Wed, 27 Feb 2019 21:29:52 +0100
		4	Subject: [PATCH] mm: enforce min addr even if capable() in expand_downwards()
		5
		6	commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
		7
		8	security_mmap_addr() does a capability check with current_cred(), but
		9	we can reach this code from contexts like a VFS write handler where
		10	current_cred() must not be used.
		11
		12	This can be abused on systems without SMAP to make NULL pointer
		13	dereferences exploitable again.
		14
		15	CVE: CVE-2019-9213
		16	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9]
		17
		18	Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
		19	Cc: stable@kernel.org
		20	Signed-off-by: Jann Horn <jannh@google.com>
		21	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		23	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		24	---
		25	mm/mmap.c \| 7 +++----
		26	1 file changed, 3 insertions(+), 4 deletions(-)
		27
		28	diff --git a/mm/mmap.c b/mm/mmap.c
		29	index 283755645d17..3f2314ad6acd 100644
		30	--- a/mm/mmap.c
		31	+++ b/mm/mmap.c
		32	@@ -2345,12 +2345,11 @@ int expand_downwards(struct vm_area_struct *vma,
		33	struct mm_struct *mm = vma->vm_mm;
		34	struct vm_area_struct *prev;
		35	unsigned long gap_addr;
		36	- int error;
		37	+ int error = 0;
		38
		39	address &= PAGE_MASK;
		40	- error = security_mmap_addr(address);
		41	- if (error)
		42	- return error;
		43	+ if (address < mmap_min_addr)
		44	+ return -EPERM;
		45
		46	/* Enforce stack_guard_gap */
		47	gap_addr = address - stack_guard_gap;
		48	--
		49	2.20.1
		50