From e862c3d668979a42caacee10847b39b5827a20fb Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 20 Sep 2018 08:19:21 +0200 Subject: linux-intel-rt: Fix for CVE-2018-13094 References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-13094 Change-Id: I781b5d3fad200e20d791e08f48737945ee2d4838 Signed-off-by: Sona Sarmadi --- recipes-kernel/linux/linux-intel-rt_4.14.bbappend | 1 + .../linux/linux-intel/CVE-2018-13094.patch | 51 ++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 recipes-kernel/linux/linux-intel/CVE-2018-13094.patch diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 67e9661..53ed430 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend @@ -9,6 +9,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s file://CVE-2018-14734.patch \ file://CVE-2018-12233.patch \ file://CVE-2018-13093.patch \ + file://CVE-2018-13094.patch \ " # Debug tools support diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-13094.patch b/recipes-kernel/linux/linux-intel/CVE-2018-13094.patch new file mode 100644 index 0000000..b42ac8f --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-13094.patch @@ -0,0 +1,51 @@ +From 59f35b983e8aeb98188c6ef93f8eabc594f8f953 Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Fri, 8 Jun 2018 09:53:49 -0700 +Subject: [PATCH] xfs: don't call xfs_da_shrink_inode with NULL bp + +commit bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a upstream. + +xfs_attr3_leaf_create may have errored out before instantiating a buffer, +for example if the blkno is out of range. In that case there is no work +to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops +if we try. + +This also seems to fix a flaw where the original error from +xfs_attr3_leaf_create gets overwritten in the cleanup case, and it +removes a pointless assignment to bp which isn't used after this. + +CVE: CVE-2018-13094 +Upstream-Status: Backport + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969 +Reported-by: Xu, Wen +Tested-by: Xu, Wen +Signed-off-by: Eric Sandeen +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Cc: Eduardo Valentin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + fs/xfs/libxfs/xfs_attr_leaf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index 5c16db8..40e53a4 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -785,9 +785,8 @@ STATIC void xfs_attr3_leaf_moveents(struct xfs_da_args *args, + ASSERT(blkno == 0); + error = xfs_attr3_leaf_create(args, blkno, &bp); + if (error) { +- error = xfs_da_shrink_inode(args, 0, bp); +- bp = NULL; +- if (error) ++ /* xfs_attr3_leaf_create may not have instantiated a block */ ++ if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0)) + goto out; + xfs_idata_realloc(dp, size, XFS_ATTR_FORK); /* try to put */ + memcpy(ifp->if_u1.if_data, tmpbuffer, size); /* it back */ +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf