From a21738f7a6d419e740040726cb68d3444d51fde7 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 21 Sep 2018 12:58:16 +0200 Subject: linux-intel: Fix for CVE-2018-14617 Fix for both linux-intel and linux-intel-rt. References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-14617 Change-Id: Ideb3fe257a127d10b4468c210516edf69a4603ca Signed-off-by: Sona Sarmadi --- recipes-kernel/linux/linux-intel-rt_4.14.bbappend | 1 + .../linux/linux-intel/CVE-2018-14617.patch | 64 ++++++++++++++++++++++ recipes-kernel/linux/linux-intel_4.14.bbappend | 1 + 3 files changed, 66 insertions(+) create mode 100644 recipes-kernel/linux/linux-intel/CVE-2018-14617.patch diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 6c4061f..b8abb45 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend @@ -14,6 +14,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s file://CVE-2018-9363.patch \ file://CVE-2018-16658.patch \ file://CVE-2018-14609.patch \ + file://CVE-2018-14617.patch \ " # Debug tools support diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-14617.patch b/recipes-kernel/linux/linux-intel/CVE-2018-14617.patch new file mode 100644 index 0000000..8801932 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-14617.patch @@ -0,0 +1,64 @@ +From 68e787c3c80059c776d1d7afb20f5eb9f20237a5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= + +Date: Thu, 23 Aug 2018 17:00:25 -0700 +Subject: [PATCH] hfsplus: fix NULL dereference in hfsplus_lookup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ] + +An HFS+ filesystem can be mounted read-only without having a metadata +directory, which is needed to support hardlinks. But if the catalog +data is corrupted, a directory lookup may still find dentries claiming +to be hardlinks. + +hfsplus_lookup() does check that ->hidden_dir is not NULL in such a +situation, but mistakenly does so after dereferencing it for the first +time. Reorder this check to prevent a crash. + +This happens when looking up corrupted catalog data (dentry) on a +filesystem with no metadata directory (this could only ever happen on a +read-only mount). Wen Xu sent the replication steps in detail to the +fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297 + +CVE: CVE-2018-14617 +Upstream-Status: Backport + +Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf +Signed-off-by: Ernesto A. Fernández +Reported-by: Wen Xu +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + fs/hfsplus/dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c +index e8120a2..1a44c46 100644 +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -78,13 +78,13 @@ static struct dentry *hfsplus_lookup(struct inode *dir, struct dentry *dentry, + cpu_to_be32(HFSP_HARDLINK_TYPE) && + entry.file.user_info.fdCreator == + cpu_to_be32(HFSP_HFSPLUS_CREATOR) && ++ HFSPLUS_SB(sb)->hidden_dir && + (entry.file.create_date == + HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)-> + create_date || + entry.file.create_date == + HFSPLUS_I(d_inode(sb->s_root))-> +- create_date) && +- HFSPLUS_SB(sb)->hidden_dir) { ++ create_date)) { + struct qstr str; + char name[32]; + +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-intel_4.14.bbappend b/recipes-kernel/linux/linux-intel_4.14.bbappend index 1fa63e0..efe54af 100644 --- a/recipes-kernel/linux/linux-intel_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel_4.14.bbappend @@ -8,6 +8,7 @@ KENEABRANCH = "intel-4.14" SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \ file://CVE-2018-16658.patch \ file://CVE-2018-14609.patch \ + file://CVE-2018-14617.patch \ " KERNEL_FEATURES_append = " features/x2apic/x2apic.scc" -- cgit v1.2.3-54-g00ecf