exec: CVE-2019-8980

exec: Fix mem leak in kernel_read_file References: https://nvd.nist.gov/vuln/detail/CVE-2019-8980 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=dd6734e17903f16a47c78d0418f02e06df080c54 Change-Id: I13a751280f4ffe8391871a8ba25f0f266eb36b13 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 10:00:10 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 14:05:20 +0200
commit: 7f8ead2e22d6a65e5832b19d93771b5801bd0736 (patch)
tree: 13b2e82ebddfa596d6a7fc2a29c66ac9ca873225
parent: 41f8ec53f2fcbb9cb476e355ed61d67cd77a03e4 (diff)
download: enea-kernel-cache-7f8ead2e22d6a65e5832b19d93771b5801bd0736.tar.gz
2 files changed, 60 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 99eb8ce..3869cf7 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -34,3 +34,6 @@ patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
 #CVEs fixed in 4.9.162:
 patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
+#CVEs fixed in 4.9.163:
+patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch
diff --git a/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch b/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch
new file mode 100644
index 0000000..8b3700b
--- /dev/null
+++ b/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch
@@ -0,0 +1,57 @@
+From dd6734e17903f16a47c78d0418f02e06df080c54 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 19 Feb 2019 10:10:38 +0800
+Subject: [PATCH] exec: Fix mem leak in kernel_read_file
+commit f612acfae86af7ecad754ae6a46019be9da05b8e upstream.
+syzkaller report this:
+BUG: memory leak
+unreferenced object 0xffffc9000488d000 (size 9195520):
+  comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
+  hex dump (first 32 bytes):
+    ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
+    02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
+  backtrace:
+    [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
+    [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
+    [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
+    [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
+    [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
+    [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
+    [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+    [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+    [<00000000241f889b>] 0xffffffffffffffff
+It should goto 'out_free' lable to free allocated buf while kernel_read
+fails.
+CVE: CVE-2019-8980
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=dd6734e17903f16a47c78d0418f02e06df080c54]
+Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Thibaut Sautereau <thibaut@sautereau.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/fs/exec.c b/fs/exec.c
+index fcd8642ef2d2..81477116035d 100644
+--- a/fs/exec.c
+++ b/fs/exec.c
+@@ -938,7 +938,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
+                                    i_size - pos);
+                if (bytes < 0) {
+                        ret = bytes;
+-                       goto out;
+                       goto out_free;
+                }
+ 
+                if (bytes == 0)
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 10:00:10 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 14:05:20 +0200
commit	7f8ead2e22d6a65e5832b19d93771b5801bd0736 (patch)
tree	13b2e82ebddfa596d6a7fc2a29c66ac9ca873225
parent	41f8ec53f2fcbb9cb476e355ed61d67cd77a03e4 (diff)
download	enea-kernel-cache-7f8ead2e22d6a65e5832b19d93771b5801bd0736.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 99eb8ce..3869cf7 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -34,3 +34,6 @@ patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
34		34
35	#CVEs fixed in 4.9.162:	35	#CVEs fixed in 4.9.162:
36	patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch	36	patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
		37
		38	#CVEs fixed in 4.9.163:
		39	patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch


diff --git a/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch b/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch new file mode 100644 index 0000000..8b3700b --- /dev/null +++ b/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch
@@ -0,0 +1,57 @@
		1	From dd6734e17903f16a47c78d0418f02e06df080c54 Mon Sep 17 00:00:00 2001
		2	From: YueHaibing <yuehaibing@huawei.com>
		3	Date: Tue, 19 Feb 2019 10:10:38 +0800
		4	Subject: [PATCH] exec: Fix mem leak in kernel_read_file
		5
		6	commit f612acfae86af7ecad754ae6a46019be9da05b8e upstream.
		7
		8	syzkaller report this:
		9	BUG: memory leak
		10	unreferenced object 0xffffc9000488d000 (size 9195520):
		11	comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
		12	hex dump (first 32 bytes):
		13	ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
		14	02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
		15	backtrace:
		16	[<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
		17	[<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
		18	[<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
		19	[<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
		20	[<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
		21	[<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
		22	[<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
		23	[<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
		24	[<00000000241f889b>] 0xffffffffffffffff
		25
		26	It should goto 'out_free' lable to free allocated buf while kernel_read
		27	fails.
		28
		29	CVE: CVE-2019-8980
		30	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=dd6734e17903f16a47c78d0418f02e06df080c54]
		31
		32	Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
		33	Signed-off-by: YueHaibing <yuehaibing@huawei.com>
		34	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
		35	Cc: Thibaut Sautereau <thibaut@sautereau.fr>
		36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		37	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		38	---
		39	fs/exec.c \| 2 +-
		40	1 file changed, 1 insertion(+), 1 deletion(-)
		41
		42	diff --git a/fs/exec.c b/fs/exec.c
		43	index fcd8642ef2d2..81477116035d 100644
		44	--- a/fs/exec.c
		45	+++ b/fs/exec.c
		46	@@ -938,7 +938,7 @@ int kernel_read_file(struct file file, void buf, loff_t size,
		47	i_size - pos);
		48	if (bytes < 0) {
		49	ret = bytes;
		50	- goto out;
		51	+ goto out_free;
		52	}
		53
		54	if (bytes == 0)
		55	--
		56	2.20.1
		57