From 8c226b6462bfbecd88caa83bf13cef888584628a Mon Sep 17 00:00:00 2001 From: Adrian Stratulat Date: Tue, 28 May 2019 11:42:57 +0200 Subject: linux-qoriq: CVE-2019-9213 References: https://nvd.nist.gov/vuln/detail/CVE-2019-9213 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1 Change-Id: I7e7c96ccfc698f229b195692ecf804c89a27e933 Signed-off-by: Adrian Stratulat --- patches/cve/4.14.x.scc | 2 ++ patches/cve/CVE-2019-9213.patch | 46 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 patches/cve/CVE-2019-9213.patch diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index b41503c..8280a4c 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc @@ -1 +1,3 @@ patch CVE-2019-8980.patch + +patch CVE-2019-9213.patch diff --git a/patches/cve/CVE-2019-9213.patch b/patches/cve/CVE-2019-9213.patch new file mode 100644 index 0000000..3b1d5d9 --- /dev/null +++ b/patches/cve/CVE-2019-9213.patch @@ -0,0 +1,46 @@ +From 0a1d52994d440e21def1c2174932410b4f2a98a1 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 27 Feb 2019 21:29:52 +0100 +Subject: mm: enforce min addr even if capable() in expand_downwards() + +security_mmap_addr() does a capability check with current_cred(), but +we can reach this code from contexts like a VFS write handler where +current_cred() must not be used. + +This can be abused on systems without SMAP to make NULL pointer +dereferences exploitable again. + +Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses") +Cc: stable@kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Adrian Stratulat +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1] +CVE: CVE-2019-9213 +--- + mm/mmap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index f901065c4c64..fc1809b1bed6 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2426,12 +2426,11 @@ int expand_downwards(struct vm_area_struct *vma, + { + struct mm_struct *mm = vma->vm_mm; + struct vm_area_struct *prev; +- int error; ++ int error = 0; + + address &= PAGE_MASK; +- error = security_mmap_addr(address); +- if (error) +- return error; ++ if (address < mmap_min_addr) ++ return -EPERM; + + /* Enforce stack_guard_gap */ + prev = vma->vm_prev; +-- +cgit 1.2-0.3.lf.el7 + -- cgit v1.2.3-54-g00ecf