From 475fde15fe18086db2e036cb84d9e52c5e985168 Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Wed, 22 May 2019 11:28:11 +0200
Subject: jfs: CVE-2018-12233

jfs: Fix inconsistency between memory allocation and ea_buf->max_size

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-12233
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7d29fb53439c8c91874550cc078eda6db8feafe7

Change-Id: I04e74887dc9a21408035615d93c6cfe6d26b3feb
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 ...onsistency-between-memory-allocation-and-.patch | 52 ++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch

diff --git a/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch
new file mode 100644
index 0000000..29321c1
--- /dev/null
+++ b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch
@@ -0,0 +1,52 @@
+From 7d29fb53439c8c91874550cc078eda6db8feafe7 Mon Sep 17 00:00:00 2001
+From: Shankara Pailoor <shankarapailoor@gmail.com>
+Date: Tue, 5 Jun 2018 08:33:27 -0500
+Subject: [PATCH] jfs: Fix inconsistency between memory allocation and
+ ea_buf->max_size
+
+commit 92d34134193e5b129dc24f8d79cb9196626e8d7a upstream.
+
+The code is assuming the buffer is max_size length, but we weren't
+allocating enough space for it.
+
+CVE: CVE-2018-12233
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7d29fb53439c8c91874550cc078eda6db8feafe7]
+
+Signed-off-by: Shankara Pailoor <shankarapailoor@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/jfs/xattr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
+index c60f3d32ee91..a6797986b625 100644
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
+ 	if (size > PSIZE) {
+ 		/*
+ 		 * To keep the rest of the code simple.  Allocate a
+-		 * contiguous buffer to work with
++		 * contiguous buffer to work with. Make the buffer large
++		 * enough to make use of the whole extent.
+ 		 */
+-		ea_buf->xattr = kmalloc(size, GFP_KERNEL);
++		ea_buf->max_size = (size + sb->s_blocksize - 1) &
++		    ~(sb->s_blocksize - 1);
++
++		ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
+ 		if (ea_buf->xattr == NULL)
+ 			return -ENOMEM;
+ 
+ 		ea_buf->flag = EA_MALLOC;
+-		ea_buf->max_size = (size + sb->s_blocksize - 1) &
+-		    ~(sb->s_blocksize - 1);
+ 
+ 		if (ea_size == 0)
+ 			return 0;
+-- 
+2.20.1
+
-- 
cgit v1.2.3-54-g00ecf