diff --git a/debian/changelog b/debian/changelog index 6e563b817..eedf3cae5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -42,7 +42,6 @@ linux (4.19.119-1) UNRELEASED; urgency=medium - net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup - blktrace: Protect q->blk_trace with RCU - blktrace: fix dereference after null check - - f2fs: fix to avoid memory leakage in f2fs_listxattr - KVM: VMX: Zero out *all* general purpose registers after VM-Exit - KVM: nVMX: Always sync GUEST_BNDCFGS when it comes from vmcs01 - KVM: Introduce a new guest mapping API diff --git a/debian/patches/bugfix/all/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch b/debian/patches/bugfix/all/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch deleted file mode 100644 index 9004f45de..000000000 --- a/debian/patches/bugfix/all/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Randall Huang -Date: Fri, 18 Oct 2019 14:56:22 +0800 -Subject: f2fs: fix to avoid memory leakage in f2fs_listxattr -Origin: https://git.kernel.org/linus/688078e7f36c293dae25b338ddc9e0a2790f6e06 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0067 - -In f2fs_listxattr, there is no boundary check before -memcpy e_name to buffer. -If the e_name_len is corrupted, -unexpected memory contents may be returned to the buffer. - -Signed-off-by: Randall Huang -Reviewed-by: Chao Yu -Signed-off-by: Jaegeuk Kim -[bwh: Backported to 4.19: Use f2fs_msg() instead of f2fs_err()] -Signed-off-by: Ben Hutchings -Signed-off-by: Sasha Levin ---- - fs/f2fs/xattr.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c -index 1dae74f7cccac..201e9da1692a4 100644 ---- a/fs/f2fs/xattr.c -+++ b/fs/f2fs/xattr.c -@@ -538,8 +538,9 @@ out: - ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) - { - struct inode *inode = d_inode(dentry); -+ nid_t xnid = F2FS_I(inode)->i_xattr_nid; - struct f2fs_xattr_entry *entry; -- void *base_addr; -+ void *base_addr, *last_base_addr; - int error = 0; - size_t rest = buffer_size; - -@@ -549,6 +550,8 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) - if (error) - return error; - -+ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); -+ - list_for_each_xattr(entry, base_addr) { - const struct xattr_handler *handler = - f2fs_xattr_handler(entry->e_name_index); -@@ -556,6 +559,16 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) - size_t prefix_len; - size_t size; - -+ if ((void *)(entry) + sizeof(__u32) > last_base_addr || -+ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) { -+ f2fs_msg(dentry->d_sb, KERN_ERR, -+ "inode (%lu) has corrupted xattr", -+ inode->i_ino); -+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); -+ error = -EFSCORRUPTED; -+ goto cleanup; -+ } -+ - if (!handler || (handler->list && !handler->list(dentry))) - continue; - --- -2.20.1 - diff --git a/debian/patches/series b/debian/patches/series index 65f345823..88ce1c83a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -298,7 +298,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/all/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch bugfix/all/net-ipv6-add-net-argument-to-ip6_dst_lookup_flow.patch bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch bugfix/all/blktrace-protect-q-blk_trace-with-rcu.patch