From 06c18f7408509b7a9a39081260fb6c742af1e2c9 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 19 Sep 2018 12:33:47 +0200 Subject: linux-intel-rt: Fix for CVE-2018-12233 References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-12233 Change-Id: If1a42846078f3a88bebe75176cb0423d625821cd Signed-off-by: Sona Sarmadi --- recipes-kernel/linux/linux-intel-rt_4.14.bbappend | 1 + .../linux/linux-intel/CVE-2018-12233.patch | 52 ++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 recipes-kernel/linux/linux-intel/CVE-2018-12233.patch diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 84ba58a..5578c7b 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend @@ -7,6 +7,7 @@ SRCREV_metaenea = "7f34b40b0ba594d85ee8ccdf327d2a06f7ceaad4" KENEABRANCH = "intel-4.14" SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \ file://CVE-2018-14734.patch \ + file://CVE-2018-12233.patch \ " # Debug tools support diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch b/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch new file mode 100644 index 0000000..d7b6fb8 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-12233.patch @@ -0,0 +1,52 @@ +From 7d29fb53439c8c91874550cc078eda6db8feafe7 Mon Sep 17 00:00:00 2001 +From: Shankara Pailoor +Date: Tue, 5 Jun 2018 08:33:27 -0500 +Subject: [PATCH] jfs: Fix inconsistency between memory allocation and + ea_buf->max_size + +commit 92d34134193e5b129dc24f8d79cb9196626e8d7a upstream. + +The code is assuming the buffer is max_size length, but we weren't +allocating enough space for it. + +CVE: CVE-2018-12233 +Upstream-Status: Backport + +Signed-off-by: Shankara Pailoor +Signed-off-by: Dave Kleikamp +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + fs/jfs/xattr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c +index c60f3d3..a679798 100644 +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) + if (size > PSIZE) { + /* + * To keep the rest of the code simple. Allocate a +- * contiguous buffer to work with ++ * contiguous buffer to work with. Make the buffer large ++ * enough to make use of the whole extent. + */ +- ea_buf->xattr = kmalloc(size, GFP_KERNEL); ++ ea_buf->max_size = (size + sb->s_blocksize - 1) & ++ ~(sb->s_blocksize - 1); ++ ++ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL); + if (ea_buf->xattr == NULL) + return -ENOMEM; + + ea_buf->flag = EA_MALLOC; +- ea_buf->max_size = (size + sb->s_blocksize - 1) & +- ~(sb->s_blocksize - 1); + + if (ea_size == 0) + return 0; +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf