From 8a47051e3497ef3e5596ebd4bae012057e69f5b0 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Dec 01 2020 07:07:52 +0000 Subject: Merge branch 'cve/linux-4.12' into users/tiwai/SLE15-SP1/for-next Conflicts: patches.suse/block-Fix-use-after-free-in-blkdev_get.patch series.conf --- diff --git a/patches.suse/block-Fix-use-after-free-in-blkdev_get.patch b/patches.suse/block-Fix-use-after-free-in-blkdev_get.patch index 22aa5f6..54aa17b 100644 --- a/patches.suse/block-Fix-use-after-free-in-blkdev_get.patch +++ b/patches.suse/block-Fix-use-after-free-in-blkdev_get.patch @@ -4,7 +4,7 @@ Date: Tue, 16 Jun 2020 20:16:55 +0800 Subject: [PATCH] block: Fix use-after-free in blkdev_get() Git-commit: 2d3a8e2deddea6c89961c422ec0c5b851e648c14 Patch-mainline: v5.8-rc2 -References: bsc#1174843 +References: bsc#1173834 bsc#1179141 CVE-2020-15436 In blkdev_get() we call __blkdev_get() to do some internal jobs and if there is some errors in __blkdev_get(), the bdput() is called which diff --git a/patches.suse/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch b/patches.suse/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch new file mode 100644 index 0000000..887ac4b --- /dev/null +++ b/patches.suse/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch @@ -0,0 +1,59 @@ +From bcf85fcedfdd17911982a3e3564fcfec7b01eebd Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Thu, 20 Aug 2020 17:42:11 -0700 +Subject: [PATCH] romfs: fix uninitialized memory leak in romfs_dev_read() +Git-commit: bcf85fcedfdd17911982a3e3564fcfec7b01eebd +Patch-mainline: v5.9-rc2 +References: CVE-2020-29371 bsc#1179429 + +romfs has a superblock field that limits the size of the filesystem; data +beyond that limit is never accessed. + +romfs_dev_read() fetches a caller-supplied number of bytes from the +backing device. It returns 0 on success or an error code on failure; +therefore, its API can't represent short reads, it's all-or-nothing. + +However, when romfs_dev_read() detects that the requested operation would +cross the filesystem size limit, it currently silently truncates the +requested number of bytes. This e.g. means that when the content of a +file with size 0x1000 starts one byte before the filesystem size limit, +->readpage() will only fill a single byte of the supplied page while +leaving the rest uninitialized, leaking that uninitialized memory to +userspace. + +Fix it by returning an error code instead of truncating the read when the +requested read operation would go beyond the end of the filesystem. + +Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly") +Signed-off-by: Jann Horn +Signed-off-by: Andrew Morton +Reviewed-by: Greg Kroah-Hartman +Cc: David Howells +Cc: +Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + fs/romfs/storage.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c +index 6b2b4362089e..b57b3ffcbc32 100644 +--- a/fs/romfs/storage.c ++++ b/fs/romfs/storage.c +@@ -217,10 +217,8 @@ int romfs_dev_read(struct super_block *sb, unsigned long pos, + size_t limit; + + limit = romfs_maxsize(sb); +- if (pos >= limit) ++ if (pos >= limit || buflen > limit - pos) + return -EIO; +- if (buflen > limit - pos) +- buflen = limit - pos; + + #ifdef CONFIG_ROMFS_ON_MTD + if (sb->s_mtd) +-- +2.26.2 + diff --git a/series.conf b/series.conf index 23fc780..f62cf29 100644 --- a/series.conf +++ b/series.conf @@ -55860,6 +55860,7 @@ patches.suse/ext4-check-journal-inode-extents-more-carefully.patch patches.suse/ext4-fix-checking-of-directory-entry-validity-for-in.patch patches.suse/mm-vunmap-add-cond_resched-in-vunmap_pmd_range.patch + patches.suse/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch patches.suse/kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch patches.suse/scsi-qla2xxx-Use-MBX_TOV_SECONDS-for-mailbox-command.patch patches.suse/scsi-qla2xxx-Flush-all-sessions-on-zone-disable.patch