From fcad225674cd5cc66295d7a565a33045e2b01753 Mon Sep 17 00:00:00 2001
From: RISCi_ATOM <bob@bobcall.me>
Date: Tue, 30 Jan 2018 06:28:54 -0500
Subject: [PATCH] Fix CVE 2018-5332

The Linux kernel through 4.14.13, the rds_message_alloc_sgs() function does not
validate a value that is used during DMA page allocation, leading to a heap-based
out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c).

Patch based upon:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c095508770aebf1b9218e77026e48345d719b17c
---
 .../generic/patches-4.4/920-cve-2018-5333-fix.patch  | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch

diff --git a/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch b/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch
new file mode 100644
index 0000000000..d228fe8d70
--- /dev/null
+++ b/target/linux/generic/patches-4.4/920-cve-2018-5333-fix.patch
@@ -0,0 +1,12 @@
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -517,6 +517,9 @@ int rds_rdma_extra_size(struct rds_rdma_
+ 
+ 	local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
+ 
++	if (args->nr_local == 0)
++		return -EINVAL;
++
+ 	/* figure out the number of pages in the vector */
+ 	for (i = 0; i < args->nr_local; i++) {
+ 		if (copy_from_user(&vec, &local_vec[i],
-- 
2.25.1