diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-07-10 08:03:31 +0200 |
|---|---|---|
| committer | Andreas Wellving <Andreas.Wellving@enea.com> | 2019-07-12 07:04:09 +0200 |
| commit | 3cbe4bb6c36dfc147faa755bc39215b0b296bdbd (patch) | |
| tree | 5c497b1e50af81077cf028ac7c34e5481a9093ab | |
| parent | 931bd5b8596c62a0ef12c5a02e815a3eb5e4ced8 (diff) | |
| download | enea-kernel-cache-3cbe4bb6c36dfc147faa755bc39215b0b296bdbd.tar.gz | |
nfsd: CVE-2018-16871
nfsd: COPY and CLONE operations require the saved filehandle to be set
References:
https://seclists.org/oss-sec/2019/q2/137
Change-Id: Ibf2f000bb8249ad9e18587bef131cc8e1daa2b4a
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch | 40 |
2 files changed, 43 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 9207275..b553f7e 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -19,3 +19,6 @@ patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch | |||
| 19 | 19 | ||
| 20 | #CVEs fixed in 4.9.128: | 20 | #CVEs fixed in 4.9.128: |
| 21 | patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch | 21 | patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch |
| 22 | |||
| 23 | #CVEs fixed in 4.9.138: | ||
| 24 | patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch | ||
diff --git a/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch b/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch new file mode 100644 index 0000000..06940c5 --- /dev/null +++ b/patches/cve/CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From 7291d95a97fc89044301b197c760555e894e82c7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Scott Mayhew <smayhew@redhat.com> | ||
| 3 | Date: Thu, 8 Nov 2018 11:11:36 -0500 | ||
| 4 | Subject: [PATCH] nfsd: COPY and CLONE operations require the saved filehandle | ||
| 5 | to be set | ||
| 6 | |||
| 7 | commit 01310bb7c9c98752cc763b36532fab028e0f8f81 upstream. | ||
| 8 | |||
| 9 | Make sure we have a saved filehandle, otherwise we'll oops with a null | ||
| 10 | pointer dereference in nfs4_preprocess_stateid_op(). | ||
| 11 | |||
| 12 | CVE: CVE-2018-16871 | ||
| 13 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7291d95a97fc89044301b197c760555e894e82c7] | ||
| 14 | |||
| 15 | Signed-off-by: Scott Mayhew <smayhew@redhat.com> | ||
| 16 | Cc: stable@vger.kernel.org | ||
| 17 | Signed-off-by: J. Bruce Fields <bfields@redhat.com> | ||
| 18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 19 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 20 | --- | ||
| 21 | fs/nfsd/nfs4proc.c | 3 +++ | ||
| 22 | 1 file changed, 3 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c | ||
| 25 | index e9495516527d..66985a6a7047 100644 | ||
| 26 | --- a/fs/nfsd/nfs4proc.c | ||
| 27 | +++ b/fs/nfsd/nfs4proc.c | ||
| 28 | @@ -1016,6 +1016,9 @@ nfsd4_verify_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, | ||
| 29 | { | ||
| 30 | __be32 status; | ||
| 31 | |||
| 32 | + if (!cstate->save_fh.fh_dentry) | ||
| 33 | + return nfserr_nofilehandle; | ||
| 34 | + | ||
| 35 | status = nfs4_preprocess_stateid_op(rqstp, cstate, &cstate->save_fh, | ||
| 36 | src_stateid, RD_STATE, src, NULL); | ||
| 37 | if (status) { | ||
| 38 | -- | ||
| 39 | 2.20.1 | ||
| 40 | |||