projects / librecmc / librecmc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9a6a4b1)
Fix CVE 2018-5332
authorRISCi_ATOM <bob@bobcall.me>
Tue, 30 Jan 2018 11:28:54 +0000 (06:28 -0500)
committerRISCi_ATOM <bob@bobcall.me>
Tue, 30 Jan 2018 11:28:54 +0000 (06:28 -0500)
The Linux kernel through 4.14.13, the rds_message_alloc_sgs() function does not
validate a value that is used during DMA page allocation, leading to a heap-based
out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c).

Patch based upon:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c095508770aebf1b9218e77026e48345d719b17c

target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch [new file with mode: 0644] patch | blob

diff --git a/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch b/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch
new file mode 100644 (file)
index 0000000..d228fe8
--- /dev/null
+++ b/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch
@@ -0,0 +1,12 @@
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -517,6 +517,9 @@ int rds_rdma_extra_size(struct rds_rdma_
+       local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
++      if (args->nr_local == 0)
++              return -EINVAL;
++
+       /* figure out the number of pages in the vector */
+       for (i = 0; i < args->nr_local; i++) {
+               if (copy_from_user(&vec, &local_vec[i],