From 75d339a54995a57e8572be3476f2de7780974ebd Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Fri, 12 Oct 2018 07:50:48 +0200 Subject: jfs: CVE-2018-12233 jfs: Fix inconsistency between memory allocation and ea_buf->max_size References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=240d46556d5961c7100febbee0e058185b3c8d4f Change-Id: Ie129f598ccf05e085624c80fe7d451b46af485d2 Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 3 ++ ...onsistency-between-memory-allocation-and-.patch | 48 ++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index fb8cc06..7283a43 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -1,2 +1,5 @@ #CVEs fixed in 4.9.117: patch CVE-2018-14734-infiniband-fix-a-possible-use-after-free-bug.patch + +#CVEs fixed in 4.9.119: +patch CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch diff --git a/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch new file mode 100644 index 0000000..b5c7971 --- /dev/null +++ b/patches/cve/CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch @@ -0,0 +1,48 @@ +From 92d34134193e5b129dc24f8d79cb9196626e8d7a Mon Sep 17 00:00:00 2001 +From: Shankara Pailoor +Date: Tue, 5 Jun 2018 08:33:27 -0500 +Subject: [PATCH] jfs: Fix inconsistency between memory allocation and + ea_buf->max_size + +The code is assuming the buffer is max_size length, but we weren't +allocating enough space for it. + +CVE: CVE-2018-12233 +Upstream-Status: Backport + +Signed-off-by: Shankara Pailoor +Signed-off-by: Dave Kleikamp +Signed-off-by: Andreas Wellving +--- + fs/jfs/xattr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c +index c60f3d3..a679798 100644 +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) + if (size > PSIZE) { + /* + * To keep the rest of the code simple. Allocate a +- * contiguous buffer to work with ++ * contiguous buffer to work with. Make the buffer large ++ * enough to make use of the whole extent. + */ +- ea_buf->xattr = kmalloc(size, GFP_KERNEL); ++ ea_buf->max_size = (size + sb->s_blocksize - 1) & ++ ~(sb->s_blocksize - 1); ++ ++ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL); + if (ea_buf->xattr == NULL) + return -ENOMEM; + + ea_buf->flag = EA_MALLOC; +- ea_buf->max_size = (size + sb->s_blocksize - 1) & +- ~(sb->s_blocksize - 1); + + if (ea_size == 0) + return 0; +-- +2.7.4 + -- cgit v1.2.3-54-g00ecf