December Security Patches

5bc57254 · IratePorcupine · d520b084 · 5bc57254 · 5bc57254 · 5bc57254
Commit 5bc57254 authored 6 years ago by IratePorcupine
--- a/CVE-2018-10840/ANY/0001.patch
+++ b/CVE-2018-10840/ANY/0001.patch
+From 8a2b307c21d4b290e3cbe33f768f194286d07c23 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 23 May 2018 11:31:03 -0400
+Subject: ext4: correctly handle a zero-length xattr with a non-zero
+ e_value_offs
+
+Ext4 will always create ext4 extended attributes which do not have a
+value (where e_value_size is zero) with e_value_offs set to zero.  In
+most places e_value_offs will not be used in a substantive way if
+e_value_size is zero.
+
+There was one exception to this, which is in ext4_xattr_set_entry(),
+where if there is a maliciously crafted file system where there is an
+extended attribute with e_value_offs is non-zero and e_value_size is
+0, the attempt to remove this xattr will result in a negative value
+getting passed to memmove, leading to the following sadness:
+
+[   41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
+[   44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000
+[   44.538733] IP: __memmove+0x81/0x1a0
+[   44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1
+[   44.538793] Oops: 0003 [#1] SMP PTI
+[   44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1
+    ...
+[   44.539475] Call Trace:
+[   44.539832]  ext4_xattr_set_entry+0x9e7/0xf80
+    ...
+[   44.539972]  ext4_xattr_block_set+0x212/0xea0
+    ...
+[   44.540041]  ext4_xattr_set_handle+0x514/0x610
+[   44.540065]  ext4_xattr_set+0x7f/0x120
+[   44.540090]  __vfs_removexattr+0x4d/0x60
+[   44.540112]  vfs_removexattr+0x75/0xe0
+[   44.540132]  removexattr+0x4d/0x80
+    ...
+[   44.540279]  path_removexattr+0x91/0xb0
+[   44.540300]  SyS_removexattr+0xf/0x20
+[   44.540322]  do_syscall_64+0x71/0x120
+[   44.540344]  entry_SYSCALL_64_after_hwframe+0x21/0x86
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199347
+
+This addresses CVE-2018-10840.
+
+Reported-by: "Xu, Wen" <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication")
+---
+ fs/ext4/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index 499cb4b1fbd2..fc4ced59c565 100644
+--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
+@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
+ 
+ 	/* No failures allowed past this point. */
+ 
+-	if (!s->not_found && here->e_value_offs) {
+	if (!s->not_found && here->e_value_size && here->e_value_offs) {
+ 		/* Remove the old value. */
+ 		void *first_val = s->base + min_offs;
+ 		size_t offs = le16_to_cpu(here->e_value_offs);
+-- 
+cgit 1.2-0.3.lf.el7
+
--- a/CVE-2018-11960/ANY/0001.patch
+++ b/CVE-2018-11960/ANY/0001.patch
+From 18ce15db603e19cfac9a2f4076f255e879100495 Mon Sep 17 00:00:00 2001
+From: Siva Kumar Akkireddi <sivaa@codeaurora.org>
+Date: Thu, 5 Jul 2018 10:55:32 +0530
+Subject: msm: sps: Suppress bind/unbind attributes
+
+SPS driver does not support manual bind/unbind operations
+through sysfs. Suppress the bind/unbind nodes. Do not free
+SPS struct in sps_device_de_init since it is being done in
+sps_exit, and also to avoid use-after-free.
+
+Change-Id: If6da6c5fb9d1a44d0420c6151f7f9d0a33cb2d04
+Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
+---
+ drivers/platform/msm/sps/sps.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/msm/sps/sps.c b/drivers/platform/msm/sps/sps.c
+index 03cc14a..2237db1 100644
+--- a/drivers/platform/msm/sps/sps.c
+++ b/drivers/platform/msm/sps/sps.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2018, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -1006,8 +1006,6 @@ static void sps_device_de_init(void)
+ 				"sps:%s:BAMs are still registered", __func__);
+ 
+ 		sps_map_de_init();
+-
+-		kfree(sps);
+ 	}
+ 
+ 	sps_mem_de_init();
+@@ -2989,6 +2987,7 @@ static struct platform_driver msm_sps_driver = {
+ 		.name	= SPS_DRV_NAME,
+ 		.owner	= THIS_MODULE,
+ 		.of_match_table = msm_sps_match,
+		.suppress_bind_attrs = true,
+ 	},
+ 	.remove		= msm_sps_remove,
+ };
+-- 
+cgit v1.1
+
--- a/CVE-2018-11963/ANY/0001.patch
+++ b/CVE-2018-11963/ANY/0001.patch
+From c9ac3476a91c384a3f2760fabaecef0ad8698d7b Mon Sep 17 00:00:00 2001
+From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
+Date: Fri, 6 Jul 2018 16:08:12 +0530
+Subject: msm: camera: Fix out-of-bounds read in string class name.
+
+jpeg driver is calling class_create with stack variable, which
+can be overwritten by other stack variables.
+
+Change-Id: I3c22a5b3375b970ff6b1c6de983dd5833f4e11d0
+Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
+Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c
+index 06e3ee4..5ef08cb 100644
+--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c
+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -32,6 +32,8 @@
+ #define MSM_JPEG_NAME "jpeg"
+ #define DEV_NAME_LEN 10
+ 
+static char devname[DEV_NAME_LEN];
+
+ static int msm_jpeg_open(struct inode *inode, struct file *filp)
+ {
+ 	int rc = 0;
+@@ -185,7 +187,6 @@ static int msm_jpeg_init_dev(struct platform_device *pdev)
+ 	struct msm_jpeg_device *msm_jpeg_device_p;
+ 	const struct of_device_id *device_id;
+ 	const struct msm_jpeg_priv_data *priv_data;
+-	char devname[DEV_NAME_LEN];
+ 
+ 	msm_jpeg_device_p = kzalloc(sizeof(struct msm_jpeg_device), GFP_ATOMIC);
+ 	if (!msm_jpeg_device_p) {
+@@ -328,6 +329,7 @@ static struct platform_driver msm_jpeg_driver = {
+ static int __init msm_jpeg_driver_init(void)
+ {
+ 	int rc;
+
+ 	rc = platform_driver_register(&msm_jpeg_driver);
+ 	return rc;
+ }
+-- 
+cgit v1.1
+
--- a/CVE-2018-11987/ANY/0001.patch
+++ b/CVE-2018-11987/ANY/0001.patch
+From 5e9ffcfa152ecb2832990c42fcd8a0f2e63c2c04 Mon Sep 17 00:00:00 2001
+From: Vinayak Menon <vinmenon@codeaurora.org>
+Date: Wed, 13 Jun 2018 20:59:29 +0530
+Subject: ion: invalidate the pool pointers after free
+
+ion_system_heap_destroy_pools frees the pool, but
+does not invalidate the pointer. This can result in
+a double free if ion_system_heap_create_pools fails,
+and then causes ion_system_heap_create to call into
+ion_system_heap_destroy_pools again from the error
+path. This can happen in ion_system_heap_create when
+one of the secure pool creation fails.
+
+Change-Id: Ic73ca78722aa5a575cc4dd7c1caa560b518094f2
+Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
+---
+ drivers/staging/android/ion/ion_system_heap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c
+index e3985f6..37b6ad4 100644
+--- a/drivers/staging/android/ion/ion_system_heap.c
+++ b/drivers/staging/android/ion/ion_system_heap.c
+@@ -756,8 +756,10 @@ static void ion_system_heap_destroy_pools(struct ion_page_pool **pools)
+ {
+ 	int i;
+ 	for (i = 0; i < num_orders; i++)
+-		if (pools[i])
+		if (pools[i]) {
+ 			ion_page_pool_destroy(pools[i]);
+			pools[i] = NULL;
+		}
+ }
+ 
+ /**
+-- 
+cgit v1.1
+
--- a/CVE-2018-9568/ANY/0001.patch
+++ b/CVE-2018-9568/ANY/0001.patch
+From 9d538fa60bad4f7b23193c89e843797a1cf71ef3 Mon Sep 17 00:00:00 2001
+From: Christoph Paasch <cpaasch@apple.com>
+Date: Tue, 26 Sep 2017 17:38:50 -0700
+Subject: net: Set sk_prot_creator when cloning sockets to the right proto
+
+sk->sk_prot and sk->sk_prot_creator can differ when the app uses
+IPV6_ADDRFORM (transforming an IPv6-socket to an IPv4-one).
+Which is why sk_prot_creator is there to make sure that sk_prot_free()
+does the kmem_cache_free() on the right kmem_cache slab.
+
+Now, if such a socket gets transformed back to a listening socket (using
+connect() with AF_UNSPEC) we will allocate an IPv4 tcp_sock through
+sk_clone_lock() when a new connection comes in. But sk_prot_creator will
+still point to the IPv6 kmem_cache (as everything got copied in
+sk_clone_lock()). When freeing, we will thus put this
+memory back into the IPv6 kmem_cache although it was allocated in the
+IPv4 cache. I have seen memory corruption happening because of this.
+
+With slub-debugging and MEMCG_KMEM enabled this gives the warning
+	"cache_from_obj: Wrong slab cache. TCPv6 but object is from TCP"
+
+A C-program to trigger this:
+
+void main(void)
+{
+        int fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
+        int new_fd, newest_fd, client_fd;
+        struct sockaddr_in6 bind_addr;
+        struct sockaddr_in bind_addr4, client_addr1, client_addr2;
+        struct sockaddr unsp;
+        int val;
+
+        memset(&bind_addr, 0, sizeof(bind_addr));
+        bind_addr.sin6_family = AF_INET6;
+        bind_addr.sin6_port = ntohs(42424);
+
+        memset(&client_addr1, 0, sizeof(client_addr1));
+        client_addr1.sin_family = AF_INET;
+        client_addr1.sin_port = ntohs(42424);
+        client_addr1.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+        memset(&client_addr2, 0, sizeof(client_addr2));
+        client_addr2.sin_family = AF_INET;
+        client_addr2.sin_port = ntohs(42421);
+        client_addr2.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+        memset(&unsp, 0, sizeof(unsp));
+        unsp.sa_family = AF_UNSPEC;
+
+        bind(fd, (struct sockaddr *)&bind_addr, sizeof(bind_addr));
+
+        listen(fd, 5);
+
+        client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+        connect(client_fd, (struct sockaddr *)&client_addr1, sizeof(client_addr1));
+        new_fd = accept(fd, NULL, NULL);
+        close(fd);
+
+        val = AF_INET;
+        setsockopt(new_fd, SOL_IPV6, IPV6_ADDRFORM, &val, sizeof(val));
+
+        connect(new_fd, &unsp, sizeof(unsp));
+
+        memset(&bind_addr4, 0, sizeof(bind_addr4));
+        bind_addr4.sin_family = AF_INET;
+        bind_addr4.sin_port = ntohs(42421);
+        bind(new_fd, (struct sockaddr *)&bind_addr4, sizeof(bind_addr4));
+
+        listen(new_fd, 5);
+
+        client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+        connect(client_fd, (struct sockaddr *)&client_addr2, sizeof(client_addr2));
+
+        newest_fd = accept(new_fd, NULL, NULL);
+        close(new_fd);
+
+        close(client_fd);
+        close(new_fd);
+}
+
+As far as I can see, this bug has been there since the beginning of the
+git-days.
+
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/core/sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+(limited to 'net/core/sock.c')
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 9b7b6bbb2a23..7d55c05f449d 100644
+--- a/net/core/sock.c
+++ b/net/core/sock.c
+@@ -1654,6 +1654,8 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
+ 
+ 		sock_copy(newsk, sk);
+ 
+		newsk->sk_prot_creator = sk->sk_prot;
+
+ 		/* SANITY */
+ 		if (likely(newsk->sk_net_refcnt))
+ 			get_net(sock_net(newsk));
+-- 
+cgit 1.2-0.3.lf.el7
+
--- a/Kernel_CVE_Patch_List.txt
+++ b/Kernel_CVE_Patch_List.txt
@@ -2922,9 +2922,13 @@ CVE-2018-9518
 	Link - https://lkml.org/lkml/diff/2018/2/14/909/1
 CVE-2018-9519
 	Link - https://android.googlesource.com/kernel/msm/+/4c39f5fbf3be421b4ac9b389c05b22042d51548a
+CVE-2018-9568
+	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/core/sock.c?id=9d538fa60bad4f7b23193c89e843797a1cf71ef3
 CVE-2018-9718
 	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ee01597a863a942532768f1604bd046f60ecbbfb
 	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=cc8fc46c0bfe75c840b421ebeebe8a9c498f854b
+CVE-2018-10840
+	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8a2b307c21d4b290e3cbe33f768f194286d07c23
 CVE-2018-10876
 	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v3.16.58&id=9c2e1d0691bfc68ebc914043497330bd530c6ed6
 	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v3.16.58&id=2ddf6de5d4af615b83c1a681386b25637290b44e
@@ -3113,6 +3117,12 @@ CVE-2018-11919
 	Link - https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=456a408d62cef797107e3b0de7d05bb211742bbd
 	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=085e7272b4c5a41b1ab26c683591864aefab14fe
 	Link - 4.9 - https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=87925782e640efb493f21bf0e255b6a638eea334
+CVE-2018-11960
+	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=18ce15db603e19cfac9a2f4076f255e879100495
+CVE-2018-11963
+	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=c9ac3476a91c384a3f2760fabaecef0ad8698d7b
+CVE-2018-11987
+	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=5e9ffcfa152ecb2832990c42fcd8a0f2e63c2c04
 CVE-2018-17182
 	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7a9cdebdcc17e426fb5287e4a82db1dfe86339b2
 LVT-2017-0001