RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333)

debian/changelog

@@ -1,6 +1,7 @@
 linux (4.14.13-2) UNRELEASED; urgency=medium
 
   * RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
+  * RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 16 Jan 2018 20:50:23 +0100
 

debian/patches/bugfix/all/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch

@@ -0,0 +1,32 @@
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Wed, 3 Jan 2018 21:06:06 +0000
+Subject: RDS: null pointer dereference in rds_atomic_free_op
+Origin: https://git.kernel.org/linus/7d11f77f84b27cef452cee332f4e469503084737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5333
+
+set rm->atomic.op_active to 0 when rds_pin_pages() fails
+or the user supplied address is invalid,
+this prevents a NULL pointer usage in rds_atomic_free_op()
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/rds/rdma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index 94729d9da437..634cfcb7bba6 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -877,6 +877,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
+ err:
+ 	if (page)
+ 		put_page(page);
++	rm->atomic.op_active = 0;
+ 	kfree(rm->atomic.op_notifier);
+ 
+ 	return ret;
+-- 
+2.15.1
+

debian/patches/series

@@ -132,6 +132,7 @@ bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch
 bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch
 bugfix/all/bpf-fix-integer-overflows.patch
 bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
+bugfix/all/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch