exec: Fix mem leak in kernel_read_file (CVE-2019-8980)
This commit is contained in:
parent
531357e266
commit
22610f2634
|
@ -632,6 +632,7 @@ linux (4.19.27-1) UNRELEASED; urgency=medium
|
|||
[ Salvatore Bonaccorso ]
|
||||
* Btrfs: fix corruption reading shared and compressed extents after hole
|
||||
punching (Closes: #922306)
|
||||
* exec: Fix mem leak in kernel_read_file (CVE-2019-8980)
|
||||
|
||||
[ Vagrant Cascadian ]
|
||||
* [arm64] Add patch from v4.20 to enable device-tree for Pine64-LTS.
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
From: YueHaibing <yuehaibing@huawei.com>
|
||||
Date: Tue, 19 Feb 2019 10:10:38 +0800
|
||||
Subject: exec: Fix mem leak in kernel_read_file
|
||||
Origin: https://git.kernel.org/linus/f612acfae86af7ecad754ae6a46019be9da05b8e
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8980
|
||||
|
||||
syzkaller report this:
|
||||
BUG: memory leak
|
||||
unreferenced object 0xffffc9000488d000 (size 9195520):
|
||||
comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
|
||||
hex dump (first 32 bytes):
|
||||
ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
|
||||
02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
|
||||
backtrace:
|
||||
[<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
|
||||
[<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
|
||||
[<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
|
||||
[<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
|
||||
[<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
|
||||
[<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
|
||||
[<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
|
||||
[<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
||||
[<00000000241f889b>] 0xffffffffffffffff
|
||||
|
||||
It should goto 'out_free' lable to free allocated buf while kernel_read
|
||||
fails.
|
||||
|
||||
Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
|
||||
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/exec.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/exec.c b/fs/exec.c
|
||||
index fb72d36f7823..bcf383730bea 100644
|
||||
--- a/fs/exec.c
|
||||
+++ b/fs/exec.c
|
||||
@@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
|
||||
bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
|
||||
if (bytes < 0) {
|
||||
ret = bytes;
|
||||
- goto out;
|
||||
+ goto out_free;
|
||||
}
|
||||
|
||||
if (bytes == 0)
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -143,6 +143,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue