RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)

2018-01-16 20:48:55 +01:00 · 2018-01-16 20:48:55 +01:00 · 24cdd62c17
parent 2ae3c9e4a7
commit 24cdd62c17
3 changed files with 41 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+linux (4.14.13-2) UNRELEASED; urgency=medium
+
+  * RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 16 Jan 2018 20:50:23 +0100
+
 linux (4.14.13-1) unstable; urgency=medium

  * New upstream stable update:
--- a/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
+++ b/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
@ -0,0 +1,34 @@
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 2 Jan 2018 19:44:34 +0000
+Subject: RDS: Heap OOB write in rds_message_alloc_sgs()
+Origin: https://git.kernel.org/linus/c095508770aebf1b9218e77026e48345d719b17c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5332
+
+When args->nr_local is 0, nr_pages gets also 0 due some size
+calculation via rds_rm_size(), which is later used to allocate
+pages for DMA, this bug produces a heap Out-Of-Bound write access
+to a specific memory region.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/rds/rdma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index bc2f1e0977d6..94729d9da437 100644
+--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
+@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
+ 
+ 	local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
+ 
+	if (args->nr_local == 0)
+		return -EINVAL;
+
+ 	/* figure out the number of pages in the vector */
+ 	for (i = 0; i < args->nr_local; i++) {
+ 		if (copy_from_user(&vec, &local_vec[i],
+-- 
+2.15.1
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -131,6 +131,7 @@ bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
 bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch
 bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch
 bugfix/all/bpf-fix-integer-overflows.patch
+bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch