linux-qoriq: CVE-2019-9213

References: https://nvd.nist.gov/vuln/detail/CVE-2019-9213 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1 Change-Id: I7e7c96ccfc698f229b195692ecf804c89a27e933 Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
author: Adrian Stratulat <adrian.stratulat@enea.com> 2019-05-28 11:42:57 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-05-28 12:57:10 +0200
commit: 8c226b6462bfbecd88caa83bf13cef888584628a (patch)
tree: 92fcca1d7f64e93ec31d52f14fe0a2e1b5b85431
parent: 8f4dae8fb7ae74e4ae7087712cb44492e294e6b0 (diff)
download: enea-kernel-cache-8c226b6462bfbecd88caa83bf13cef888584628a.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index b41503c..8280a4c 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -1 +1,3 @@
 patch CVE-2019-8980.patch
+patch CVE-2019-9213.patch
diff --git a/patches/cve/CVE-2019-9213.patch b/patches/cve/CVE-2019-9213.patch
new file mode 100644
index 0000000..3b1d5d9
--- /dev/null
+++ b/patches/cve/CVE-2019-9213.patch
@@ -0,0 +1,46 @@
+From 0a1d52994d440e21def1c2174932410b4f2a98a1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Feb 2019 21:29:52 +0100
+Subject: mm: enforce min addr even if capable() in expand_downwards()
+security_mmap_addr() does a capability check with current_cred(), but
+we can reach this code from contexts like a VFS write handler where
+current_cred() must not be used.
+This can be abused on systems without SMAP to make NULL pointer
+dereferences exploitable again.
+Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1]
+CVE: CVE-2019-9213
+---
+ mm/mmap.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+diff --git a/mm/mmap.c b/mm/mmap.c
+index f901065c4c64..fc1809b1bed6 100644
+--- a/mm/mmap.c
+++ b/mm/mmap.c
+@@ -2426,12 +2426,11 @@ int expand_downwards(struct vm_area_struct *vma,
+ {
+        struct mm_struct *mm = vma->vm_mm;
+        struct vm_area_struct *prev;
+-       int error;
+       int error = 0;
+ 
+        address &= PAGE_MASK;
+-       error = security_mmap_addr(address);
+-       if (error)
+-               return error;
+       if (address < mmap_min_addr)
+               return -EPERM;
+ 
+        /* Enforce stack_guard_gap */
+        prev = vma->vm_prev;
+-- 
+cgit 1.2-0.3.lf.el7
author	Adrian Stratulat <adrian.stratulat@enea.com>	2019-05-28 11:42:57 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-05-28 12:57:10 +0200
commit	8c226b6462bfbecd88caa83bf13cef888584628a (patch)
tree	92fcca1d7f64e93ec31d52f14fe0a2e1b5b85431
parent	8f4dae8fb7ae74e4ae7087712cb44492e294e6b0 (diff)
download	enea-kernel-cache-8c226b6462bfbecd88caa83bf13cef888584628a.tar.gz

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index b41503c..8280a4c 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc
@@ -1 +1,3 @@
1	patch CVE-2019-8980.patch	1	patch CVE-2019-8980.patch
		2
		3	patch CVE-2019-9213.patch


diff --git a/patches/cve/CVE-2019-9213.patch b/patches/cve/CVE-2019-9213.patch new file mode 100644 index 0000000..3b1d5d9 --- /dev/null +++ b/patches/cve/CVE-2019-9213.patch
@@ -0,0 +1,46 @@
		1	From 0a1d52994d440e21def1c2174932410b4f2a98a1 Mon Sep 17 00:00:00 2001
		2	From: Jann Horn <jannh@google.com>
		3	Date: Wed, 27 Feb 2019 21:29:52 +0100
		4	Subject: mm: enforce min addr even if capable() in expand_downwards()
		5
		6	security_mmap_addr() does a capability check with current_cred(), but
		7	we can reach this code from contexts like a VFS write handler where
		8	current_cred() must not be used.
		9
		10	This can be abused on systems without SMAP to make NULL pointer
		11	dereferences exploitable again.
		12
		13	Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
		14	Cc: stable@kernel.org
		15	Signed-off-by: Jann Horn <jannh@google.com>
		16	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		17	Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
		18	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1]
		19	CVE: CVE-2019-9213
		20	---
		21	mm/mmap.c \| 7 +++----
		22	1 file changed, 3 insertions(+), 4 deletions(-)
		23
		24	diff --git a/mm/mmap.c b/mm/mmap.c
		25	index f901065c4c64..fc1809b1bed6 100644
		26	--- a/mm/mmap.c
		27	+++ b/mm/mmap.c
		28	@@ -2426,12 +2426,11 @@ int expand_downwards(struct vm_area_struct *vma,
		29	{
		30	struct mm_struct *mm = vma->vm_mm;
		31	struct vm_area_struct *prev;
		32	- int error;
		33	+ int error = 0;
		34
		35	address &= PAGE_MASK;
		36	- error = security_mmap_addr(address);
		37	- if (error)
		38	- return error;
		39	+ if (address < mmap_min_addr)
		40	+ return -EPERM;
		41
		42	/* Enforce stack_guard_gap */
		43	prev = vma->vm_prev;
		44	--
		45	cgit 1.2-0.3.lf.el7
		46