perf/core: CVE-2017-18255

perf/core: Fix the perf_cpu_time_max_percent check Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=0f8a75e90963019cef486565f2b088bb570a7ddb Change-Id: I1131173ce5a1cf3fec8333a9631cac713f839621 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:33:46 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:33:46 +0200
commit: a8c6ff94fd3905f1a35a189b510aac1bfddc883a (patch)
tree: b0d350314c0b8881af20651b05e6d72fd6bf7328 /patches
parent: 8675d0d71e339e0933de5aa1b354b74d8ce59d97 (diff)
download: enea-kernel-cache-a8c6ff94fd3905f1a35a189b510aac1bfddc883a.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 491ffe4..e4346d5 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -9,3 +9,6 @@ SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch"
 #CVEs fixed in 4.9.98:
 SRC_URI += "file://CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch"
+#CVEs fixed in 4.9.99:
+SRC_URI += "file://CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch"
diff --git a/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch b/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch
new file mode 100644
index 0000000..b7e14e2
--- /dev/null
+++ b/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch
@@ -0,0 +1,53 @@
+From 0f8a75e90963019cef486565f2b088bb570a7ddb Mon Sep 17 00:00:00 2001
+From: Tan Xiaojun <tanxiaojun@huawei.com>
+Date: Thu, 23 Feb 2017 14:04:39 +0800
+Subject: [PATCH] perf/core: Fix the perf_cpu_time_max_percent check
+commit 1572e45a924f254d9570093abde46430c3172e3d upstream.
+Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
+value from user-space.
+If not, we can set a big value and some vars will overflow like
+"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
+problems.
+CVE: CVE-2017-18255
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=0f8a75e90963019cef486565f2b088bb570a7ddb]
+Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <acme@kernel.org>
+Cc: <alexander.shishkin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index b1d6b9888fba..cbc51826cb94 100644
+--- a/kernel/events/core.c
+++ b/kernel/events/core.c
+@@ -453,7 +453,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
+                                void __user *buffer, size_t *lenp,
+                                loff_t *ppos)
+ {
+-       int ret = proc_dointvec(table, write, buffer, lenp, ppos);
+       int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ 
+        if (ret || !write)
+                return ret;
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:33:46 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:33:46 +0200
commit	a8c6ff94fd3905f1a35a189b510aac1bfddc883a (patch)
tree	b0d350314c0b8881af20651b05e6d72fd6bf7328 /patches
parent	8675d0d71e339e0933de5aa1b354b74d8ce59d97 (diff)
download	enea-kernel-cache-a8c6ff94fd3905f1a35a189b510aac1bfddc883a.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 491ffe4..e4346d5 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -9,3 +9,6 @@ SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch"
9		9
10	#CVEs fixed in 4.9.98:	10	#CVEs fixed in 4.9.98:
11	SRC_URI += "file://CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch"	11	SRC_URI += "file://CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch"
		12
		13	#CVEs fixed in 4.9.99:
		14	SRC_URI += "file://CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch"


diff --git a/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch b/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch new file mode 100644 index 0000000..b7e14e2 --- /dev/null +++ b/patches/cve/CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch
@@ -0,0 +1,53 @@
		1	From 0f8a75e90963019cef486565f2b088bb570a7ddb Mon Sep 17 00:00:00 2001
		2	From: Tan Xiaojun <tanxiaojun@huawei.com>
		3	Date: Thu, 23 Feb 2017 14:04:39 +0800
		4	Subject: [PATCH] perf/core: Fix the perf_cpu_time_max_percent check
		5
		6	commit 1572e45a924f254d9570093abde46430c3172e3d upstream.
		7
		8	Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
		9	value from user-space.
		10
		11	If not, we can set a big value and some vars will overflow like
		12	"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
		13	problems.
		14
		15	CVE: CVE-2017-18255
		16	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=0f8a75e90963019cef486565f2b088bb570a7ddb]
		17
		18	Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
		19	Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
		20	Cc: <acme@kernel.org>
		21	Cc: <alexander.shishkin@linux.intel.com>
		22	Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
		23	Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
		24	Cc: Jiri Olsa <jolsa@redhat.com>
		25	Cc: Linus Torvalds <torvalds@linux-foundation.org>
		26	Cc: Peter Zijlstra <peterz@infradead.org>
		27	Cc: Stephane Eranian <eranian@google.com>
		28	Cc: Thomas Gleixner <tglx@linutronix.de>
		29	Cc: Vince Weaver <vincent.weaver@maine.edu>
		30	Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
		31	Signed-off-by: Ingo Molnar <mingo@kernel.org>
		32	Cc: Guenter Roeck <linux@roeck-us.net>
		33	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		34	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		35	---
		36	kernel/events/core.c \| 2 +-
		37	1 file changed, 1 insertion(+), 1 deletion(-)
		38
		39	diff --git a/kernel/events/core.c b/kernel/events/core.c
		40	index b1d6b9888fba..cbc51826cb94 100644
		41	--- a/kernel/events/core.c
		42	+++ b/kernel/events/core.c
		43	@@ -453,7 +453,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
		44	void __user buffer, size_t lenp,
		45	loff_t *ppos)
		46	{
		47	- int ret = proc_dointvec(table, write, buffer, lenp, ppos);
		48	+ int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
		49
		50	if (ret \|\| !write)
		51	return ret;
		52
		53