From: RISCi_ATOM <bob@bobcall.me>
Date: Tue, 30 Jan 2018 11:28:54 +0000 (-0500)
Subject: Fix CVE 2018-5332
X-Git-Tag: v1.4.3~33
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=fcad225674cd5cc66295d7a565a33045e2b01753;p=librecmc%2Flibrecmc.git

Fix CVE 2018-5332

The Linux kernel through 4.14.13, the rds_message_alloc_sgs() function does not
validate a value that is used during DMA page allocation, leading to a heap-based
out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c).

Patch based upon:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c095508770aebf1b9218e77026e48345d719b17c
---

diff --git a/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch b/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch
new file mode 100644
index 0000000000..d228fe8d70
--- /dev/null
+++ b/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch
@@ -0,0 +1,12 @@
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -517,6 +517,9 @@ int rds_rdma_extra_size(struct rds_rdma_
+ 
+ 	local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
+ 
++	if (args->nr_local == 0)
++		return -EINVAL;
++
+ 	/* figure out the number of pages in the vector */
+ 	for (i = 0; i < args->nr_local; i++) {
+ 		if (copy_from_user(&vec, &local_vec[i],