From a8c6ff94fd3905f1a35a189b510aac1bfddc883a Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Fri, 26 Oct 2018 13:33:46 +0200
Subject: perf/core: CVE-2017-18255

perf/core: Fix the perf_cpu_time_max_percent check

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=0f8a75e90963019cef486565f2b088bb570a7ddb

Change-Id: I1131173ce5a1cf3fec8333a9631cac713f839621
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 patches/cve/4.9.x.scc                              |  3 ++
 ...e-Fix-the-perf_cpu_time_max_percent-check.patch | 53 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 491ffe4..e4346d5 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -9,3 +9,6 @@ SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch"
 
 #CVEs fixed in 4.9.98:
 SRC_URI += "file://CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch"
+
+#CVEs fixed in 4.9.99:
+SRC_URI += "file://CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch"
diff --git a/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch b/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch
new file mode 100644
index 0000000..b7e14e2
--- /dev/null
+++ b/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch
@@ -0,0 +1,53 @@
+From 0f8a75e90963019cef486565f2b088bb570a7ddb Mon Sep 17 00:00:00 2001
+From: Tan Xiaojun <tanxiaojun@huawei.com>
+Date: Thu, 23 Feb 2017 14:04:39 +0800
+Subject: [PATCH] perf/core: Fix the perf_cpu_time_max_percent check
+
+commit 1572e45a924f254d9570093abde46430c3172e3d upstream.
+
+Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
+value from user-space.
+
+If not, we can set a big value and some vars will overflow like
+"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
+problems.
+
+CVE: CVE-2017-18255
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=0f8a75e90963019cef486565f2b088bb570a7ddb]
+
+Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <acme@kernel.org>
+Cc: <alexander.shishkin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index b1d6b9888fba..cbc51826cb94 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -453,7 +453,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
+ 				void __user *buffer, size_t *lenp,
+ 				loff_t *ppos)
+ {
+-	int ret = proc_dointvec(table, write, buffer, lenp, ppos);
++	int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ 
+ 	if (ret || !write)
+ 		return ret;
+
+
-- 
cgit v1.2.3-54-g00ecf