[linux] 01/03: RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Jan 16 20:38:23 UTC 2018
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 24cdd62c17d9b6f587a67973230a9701288d5146
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Tue Jan 16 20:48:55 2018 +0100
RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
---
debian/changelog | 6 ++++
...S-Heap-OOB-write-in-rds_message_alloc_sgs.patch | 34 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 41 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 9eac6c5..9412c94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (4.14.13-2) UNRELEASED; urgency=medium
+
+ * RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Tue, 16 Jan 2018 20:50:23 +0100
+
linux (4.14.13-1) unstable; urgency=medium
* New upstream stable update:
diff --git a/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch b/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
new file mode 100644
index 0000000..e59fab0
--- /dev/null
+++ b/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
@@ -0,0 +1,34 @@
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Tue, 2 Jan 2018 19:44:34 +0000
+Subject: RDS: Heap OOB write in rds_message_alloc_sgs()
+Origin: https://git.kernel.org/linus/c095508770aebf1b9218e77026e48345d719b17c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5332
+
+When args->nr_local is 0, nr_pages gets also 0 due some size
+calculation via rds_rm_size(), which is later used to allocate
+pages for DMA, this bug produces a heap Out-Of-Bound write access
+to a specific memory region.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/rdma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index bc2f1e0977d6..94729d9da437 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
+
+ local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
+
++ if (args->nr_local == 0)
++ return -EINVAL;
++
+ /* figure out the number of pages in the vector */
+ for (i = 0; i < args->nr_local; i++) {
+ if (copy_from_user(&vec, &local_vec[i],
+--
+2.15.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 60bf5e2..0cae9fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -131,6 +131,7 @@ bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch
bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch
bugfix/all/bpf-fix-integer-overflows.patch
+bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list