linux-intel-rt: Fix for CVE-2018-12233

References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-12233 Change-Id: If1a42846078f3a88bebe75176cb0423d625821cd Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2018-09-19 12:33:47 +0200
committer: Martin Borg <martin.borg@enea.com> 2018-09-21 14:36:48 +0200
commit: 06c18f7408509b7a9a39081260fb6c742af1e2c9 (patch)
tree: e31a06ffc0e7cab031eb42916ccefd5d9956a2fb
parent: c89dc0a3e18de5a9f76fb04c3b2a6877e71036fb (diff)
download: meta-enea-bsp-x86-06c18f7408509b7a9a39081260fb6c742af1e2c9.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
index 84ba58a..5578c7b 100644
--- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -7,6 +7,7 @@ SRCREV_metaenea = "7f34b40b0ba594d85ee8ccdf327d2a06f7ceaad4"
 KENEABRANCH = "intel-4.14"
 SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
                   file://CVE-2018-14734.patch \
+                   file://CVE-2018-12233.patch \
                 "
 # Debug tools support
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch b/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch
new file mode 100644
index 0000000..d7b6fb8
--- /dev/null
+++ b/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch
@@ -0,0 +1,52 @@
+From 7d29fb53439c8c91874550cc078eda6db8feafe7 Mon Sep 17 00:00:00 2001
+From: Shankara Pailoor <shankarapailoor@gmail.com>
+Date: Tue, 5 Jun 2018 08:33:27 -0500
+Subject: [PATCH] jfs: Fix inconsistency between memory allocation and
+ ea_buf->max_size
+commit 92d34134193e5b129dc24f8d79cb9196626e8d7a upstream.
+The code is assuming the buffer is max_size length, but we weren't
+allocating enough space for it.
+CVE: CVE-2018-12233
+Upstream-Status: Backport
+Signed-off-by: Shankara Pailoor <shankarapailoor@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/jfs/xattr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
+index c60f3d3..a679798 100644
+--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
+@@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
+        if (size > PSIZE) {
+                /*
+                 * To keep the rest of the code simple.  Allocate a
+-                * contiguous buffer to work with
+                * contiguous buffer to work with. Make the buffer large
+                * enough to make use of the whole extent.
+                 */
+-               ea_buf->xattr = kmalloc(size, GFP_KERNEL);
+               ea_buf->max_size = (size + sb->s_blocksize - 1) &
+                   ~(sb->s_blocksize - 1);
+
+               ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
+                if (ea_buf->xattr == NULL)
+                        return -ENOMEM;
+ 
+                ea_buf->flag = EA_MALLOC;
+-               ea_buf->max_size = (size + sb->s_blocksize - 1) &
+-                   ~(sb->s_blocksize - 1);
+ 
+                if (ea_size == 0)
+                        return 0;
+-- 
+1.9.1
author	Sona Sarmadi <sona.sarmadi@enea.com>	2018-09-19 12:33:47 +0200
committer	Martin Borg <martin.borg@enea.com>	2018-09-21 14:36:48 +0200
commit	06c18f7408509b7a9a39081260fb6c742af1e2c9 (patch)
tree	e31a06ffc0e7cab031eb42916ccefd5d9956a2fb
parent	c89dc0a3e18de5a9f76fb04c3b2a6877e71036fb (diff)
download	meta-enea-bsp-x86-06c18f7408509b7a9a39081260fb6c742af1e2c9.tar.gz

diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 84ba58a..5578c7b 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -7,6 +7,7 @@ SRCREV_metaenea = "7f34b40b0ba594d85ee8ccdf327d2a06f7ceaad4"
7	KENEABRANCH = "intel-4.14"	7	KENEABRANCH = "intel-4.14"
8	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \	8	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
9	file://CVE-2018-14734.patch \	9	file://CVE-2018-14734.patch \
		10	file://CVE-2018-12233.patch \
10	"	11	"
11		12
12	# Debug tools support	13	# Debug tools support


diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch b/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch new file mode 100644 index 0000000..d7b6fb8 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch
@@ -0,0 +1,52 @@
		1	From 7d29fb53439c8c91874550cc078eda6db8feafe7 Mon Sep 17 00:00:00 2001
		2	From: Shankara Pailoor <shankarapailoor@gmail.com>
		3	Date: Tue, 5 Jun 2018 08:33:27 -0500
		4	Subject: [PATCH] jfs: Fix inconsistency between memory allocation and
		5	ea_buf->max_size
		6
		7	commit 92d34134193e5b129dc24f8d79cb9196626e8d7a upstream.
		8
		9	The code is assuming the buffer is max_size length, but we weren't
		10	allocating enough space for it.
		11
		12	CVE: CVE-2018-12233
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Shankara Pailoor <shankarapailoor@gmail.com>
		16	Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
		17	Cc: Guenter Roeck <linux@roeck-us.net>
		18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		19	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		20	---
		21	fs/jfs/xattr.c \| 10 ++++++----
		22	1 file changed, 6 insertions(+), 4 deletions(-)
		23
		24	diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
		25	index c60f3d3..a679798 100644
		26	--- a/fs/jfs/xattr.c
		27	+++ b/fs/jfs/xattr.c
		28	@@ -491,15 +491,17 @@ static int ea_get(struct inode inode, struct ea_buffer ea_buf, int min_size)
		29	if (size > PSIZE) {
		30	/*
		31	* To keep the rest of the code simple. Allocate a
		32	- * contiguous buffer to work with
		33	+ * contiguous buffer to work with. Make the buffer large
		34	+ * enough to make use of the whole extent.
		35	*/
		36	- ea_buf->xattr = kmalloc(size, GFP_KERNEL);
		37	+ ea_buf->max_size = (size + sb->s_blocksize - 1) &
		38	+ ~(sb->s_blocksize - 1);
		39	+
		40	+ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
		41	if (ea_buf->xattr == NULL)
		42	return -ENOMEM;
		43
		44	ea_buf->flag = EA_MALLOC;
		45	- ea_buf->max_size = (size + sb->s_blocksize - 1) &
		46	- ~(sb->s_blocksize - 1);
		47
		48	if (ea_size == 0)
		49	return 0;
		50	--
		51	1.9.1
		52