linux-intel-rt: Fix for CVE-2018-13094

References:
https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt
https://nvd.nist.gov/vuln/detail/CVE-2018-13094

Change-Id: I781b5d3fad200e20d791e08f48737945ee2d4838
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>

2 files changed, 52 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
index 67e9661..53ed430 100644
--- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -9,6 +9,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s
                    file://CVE-2018-14734.patch \
                    file://CVE-2018-12233.patch \
                    file://CVE-2018-13093.patch \
+                   file://CVE-2018-13094.patch \
                  "
 
 # Debug tools support
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-13094.patch b/recipes-kernel/linux/linux-intel/CVE-2018-13094.patch
new file mode 100644
index 0000000..b42ac8f
--- /dev/null
+++ b/recipes-kernel/linux/linux-intel/CVE-2018-13094.patch
@@ -0,0 +1,51 @@
+From 59f35b983e8aeb98188c6ef93f8eabc594f8f953 Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@sandeen.net>
+Date: Fri, 8 Jun 2018 09:53:49 -0700
+Subject: [PATCH] xfs: don't call xfs_da_shrink_inode with NULL bp
+
+commit bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a upstream.
+
+xfs_attr3_leaf_create may have errored out before instantiating a buffer,
+for example if the blkno is out of range.  In that case there is no work
+to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops
+if we try.
+
+This also seems to fix a flaw where the original error from
+xfs_attr3_leaf_create gets overwritten in the cleanup case, and it
+removes a pointless assignment to bp which isn't used after this.
+
+CVE: CVE-2018-13094
+Upstream-Status: Backport
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969
+Reported-by: Xu, Wen <wen.xu@gatech.edu>
+Tested-by: Xu, Wen <wen.xu@gatech.edu>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Cc: Eduardo Valentin <eduval@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/xfs/libxfs/xfs_attr_leaf.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
+index 5c16db8..40e53a4 100644
+--- a/fs/xfs/libxfs/xfs_attr_leaf.c
++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
+@@ -785,9 +785,8 @@ STATIC void xfs_attr3_leaf_moveents(struct xfs_da_args *args,
+        ASSERT(blkno == 0);
+        error = xfs_attr3_leaf_create(args, blkno, &bp);
+        if (error) {
+-               error = xfs_da_shrink_inode(args, 0, bp);
+-               bp = NULL;
+-               if (error)
++               /* xfs_attr3_leaf_create may not have instantiated a block */
++               if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0))
+                        goto out;
+                xfs_idata_realloc(dp, size, XFS_ATTR_FORK);     /* try to put */
+                memcpy(ifp->if_u1.if_data, tmpbuffer, size);    /* it back */
+-- 
+1.9.1
+