diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-22 12:55:25 +0200 |
---|---|---|
committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-22 13:23:56 +0200 |
commit | 8380ffa362572e5fa6c29fdcf9127f2bf3f48293 (patch) | |
tree | c59801accb4fecad215a798db0366c2243ee6c77 | |
parent | 7109a2536c95d4c3a438b22e8d176859f76e6d25 (diff) | |
download | enea-kernel-cache-8380ffa362572e5fa6c29fdcf9127f2bf3f48293.tar.gz |
exec: CVE-2019-8980
exec: Fix mem leak in kernel_read_file
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2019-8980
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=069fb92ea221c72bd75f4863b3540420082f32ba
Change-Id: Ic081cd5983de721ccf1b3e982edb1d6f819b8cbb
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch b/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch new file mode 100644 index 0000000..f5bcc67 --- /dev/null +++ b/patches/cve/CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 069fb92ea221c72bd75f4863b3540420082f32ba Mon Sep 17 00:00:00 2001 | ||
2 | From: YueHaibing <yuehaibing@huawei.com> | ||
3 | Date: Tue, 19 Feb 2019 10:10:38 +0800 | ||
4 | Subject: [PATCH] exec: Fix mem leak in kernel_read_file | ||
5 | |||
6 | commit f612acfae86af7ecad754ae6a46019be9da05b8e upstream. | ||
7 | |||
8 | syzkaller report this: | ||
9 | BUG: memory leak | ||
10 | unreferenced object 0xffffc9000488d000 (size 9195520): | ||
11 | comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) | ||
12 | hex dump (first 32 bytes): | ||
13 | ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................ | ||
14 | 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z..... | ||
15 | backtrace: | ||
16 | [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] | ||
17 | [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] | ||
18 | [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 | ||
19 | [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 | ||
20 | [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 | ||
21 | [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895 | ||
22 | [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 | ||
23 | [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe | ||
24 | [<00000000241f889b>] 0xffffffffffffffff | ||
25 | |||
26 | It should goto 'out_free' lable to free allocated buf while kernel_read | ||
27 | fails. | ||
28 | |||
29 | CVE: CVE-2019-8980 | ||
30 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=069fb92ea221c72bd75f4863b3540420082f32ba] | ||
31 | |||
32 | Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory") | ||
33 | Signed-off-by: YueHaibing <yuehaibing@huawei.com> | ||
34 | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> | ||
35 | Cc: Thibaut Sautereau <thibaut@sautereau.fr> | ||
36 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
37 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
38 | --- | ||
39 | fs/exec.c | 2 +- | ||
40 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
41 | |||
42 | diff --git a/fs/exec.c b/fs/exec.c | ||
43 | index 0da4d748b4e6..0936b5a8199a 100644 | ||
44 | --- a/fs/exec.c | ||
45 | +++ b/fs/exec.c | ||
46 | @@ -925,7 +925,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, | ||
47 | bytes = kernel_read(file, *buf + pos, i_size - pos, &pos); | ||
48 | if (bytes < 0) { | ||
49 | ret = bytes; | ||
50 | - goto out; | ||
51 | + goto out_free; | ||
52 | } | ||
53 | |||
54 | if (bytes == 0) | ||
55 | -- | ||
56 | 2.20.1 | ||
57 | |||