diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2018-07-02 21:43:33 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-07-02 21:43:33 +0100 |
| commit | 1f88ab63d48f52adb362cf3b0e8fee2b56bf61aa (patch) | |
| tree | 0e89cae17e599fe66292d9aef9d57da085975e8a | |
| parent | 2e3f7d949520c585513fa9a05ec2121a3d2fccac (diff) | |
| download | kernel_replicant_linux-1f88ab63d48f52adb362cf3b0e8fee2b56bf61aa.tar.gz kernel_replicant_linux-1f88ab63d48f52adb362cf3b0e8fee2b56bf61aa.tar.bz2 kernel_replicant_linux-1f88ab63d48f52adb362cf3b0e8fee2b56bf61aa.zip | |
jfs: Fix inconsistency between memory allocation and ea_buf->max_size (CVE-2018-12233)
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/jfs-fix-inconsistency-between-memory-allocation-and-.patch | 39 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 42 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index b8f1305fd12e..40bf13b1b871 100644 --- a/debian/changelog +++ b/debian/changelog @@ -107,6 +107,8 @@ linux (4.17.3-1) UNRELEASED; urgency=medium * ext4: avoid running out of journal credits when appending to an inline file (CVE-2018-10883) * ext4: add more inode number paranoia checks (CVE-2018-10882) + * jfs: Fix inconsistency between memory allocation and ea_buf->max_size + (CVE-2018-12233) [ Romain Perier ] * [x86] amdgpu: Enable DCN 1.0 Raven family (Closes: #901349) diff --git a/debian/patches/bugfix/all/jfs-fix-inconsistency-between-memory-allocation-and-.patch b/debian/patches/bugfix/all/jfs-fix-inconsistency-between-memory-allocation-and-.patch new file mode 100644 index 000000000000..b0680e6bdfab --- /dev/null +++ b/debian/patches/bugfix/all/jfs-fix-inconsistency-between-memory-allocation-and-.patch @@ -0,0 +1,39 @@ +From: Shankara Pailoor <shankarapailoor@gmail.com> +Date: Tue, 5 Jun 2018 08:33:27 -0500 +Subject: jfs: Fix inconsistency between memory allocation and ea_buf->max_size +Origin: https://git.kernel.org/linus/92d34134193e5b129dc24f8d79cb9196626e8d7a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12233 + +The code is assuming the buffer is max_size length, but we weren't +allocating enough space for it. + +Signed-off-by: Shankara Pailoor <shankarapailoor@gmail.com> +Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> +--- + fs/jfs/xattr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, s + if (size > PSIZE) { + /* + * To keep the rest of the code simple. Allocate a +- * contiguous buffer to work with ++ * contiguous buffer to work with. Make the buffer large ++ * enough to make use of the whole extent. + */ +- ea_buf->xattr = kmalloc(size, GFP_KERNEL); ++ ea_buf->max_size = (size + sb->s_blocksize - 1) & ++ ~(sb->s_blocksize - 1); ++ ++ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL); + if (ea_buf->xattr == NULL) + return -ENOMEM; + + ea_buf->flag = EA_MALLOC; +- ea_buf->max_size = (size + sb->s_blocksize - 1) & +- ~(sb->s_blocksize - 1); + + if (ea_size == 0) + return 0; diff --git a/debian/patches/series b/debian/patches/series index c2c2db5959e1..54a970a2a415 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -144,6 +144,7 @@ bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch +bugfix/all/jfs-fix-inconsistency-between-memory-allocation-and-.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |