From 24cdd62c17d9b6f587a67973230a9701288d5146 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Tue, 16 Jan 2018 20:48:55 +0100 Subject: [PATCH] RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332) --- debian/changelog | 6 ++++ ...p-OOB-write-in-rds_message_alloc_sgs.patch | 34 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 41 insertions(+) create mode 100644 debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch diff --git a/debian/changelog b/debian/changelog index 9eac6c5cd..9412c94d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux (4.14.13-2) UNRELEASED; urgency=medium + + * RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332) + + -- Salvatore Bonaccorso Tue, 16 Jan 2018 20:50:23 +0100 + linux (4.14.13-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch b/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch new file mode 100644 index 000000000..e59fab0bb --- /dev/null +++ b/debian/patches/bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch @@ -0,0 +1,34 @@ +From: Mohamed Ghannam +Date: Tue, 2 Jan 2018 19:44:34 +0000 +Subject: RDS: Heap OOB write in rds_message_alloc_sgs() +Origin: https://git.kernel.org/linus/c095508770aebf1b9218e77026e48345d719b17c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5332 + +When args->nr_local is 0, nr_pages gets also 0 due some size +calculation via rds_rm_size(), which is later used to allocate +pages for DMA, this bug produces a heap Out-Of-Bound write access +to a specific memory region. + +Signed-off-by: Mohamed Ghannam +Signed-off-by: David S. Miller +--- + net/rds/rdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rds/rdma.c b/net/rds/rdma.c +index bc2f1e0977d6..94729d9da437 100644 +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args) + + local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; + ++ if (args->nr_local == 0) ++ return -EINVAL; ++ + /* figure out the number of pages in the vector */ + for (i = 0; i < args->nr_local; i++) { + if (copy_from_user(&vec, &local_vec[i], +-- +2.15.1 + diff --git a/debian/patches/series b/debian/patches/series index 60bf5e200..0cae9fedb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -131,6 +131,7 @@ bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch bugfix/all/bpf-fix-integer-overflows.patch +bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch