kernel/relay.c: handle alloc_percpu returning NULL in relay_open (CVE-2019-19462)
This commit is contained in:
parent
7fc7c96d6e
commit
50bf5b3b3d
|
@ -12,6 +12,8 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
|
|||
* netlabel: cope with NULL catmap (CVE-2020-10711)
|
||||
* fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
|
||||
(CVE-2020-10732)
|
||||
* kernel/relay.c: handle alloc_percpu returning NULL in relay_open
|
||||
(CVE-2019-19462)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 May 2020 23:02:30 +0200
|
||||
|
||||
|
|
71
debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch
vendored
Normal file
71
debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch
vendored
Normal file
|
@ -0,0 +1,71 @@
|
|||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Thu, 4 Jun 2020 16:51:27 -0700
|
||||
Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open
|
||||
Origin: https://git.kernel.org/linus/54e200ab40fc14c863bcc80a51e20b7906608fce
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19462
|
||||
|
||||
alloc_percpu() may return NULL, which means chan->buf may be set to NULL.
|
||||
In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
|
||||
invalid pointer:
|
||||
|
||||
BUG: Unable to handle kernel data access at 0x7dae0000
|
||||
Faulting instruction address: 0xc0000000003f3fec
|
||||
...
|
||||
NIP relay_open+0x29c/0x600
|
||||
LR relay_open+0x270/0x600
|
||||
Call Trace:
|
||||
relay_open+0x264/0x600 (unreliable)
|
||||
__blk_trace_setup+0x254/0x600
|
||||
blk_trace_setup+0x68/0xa0
|
||||
sg_ioctl+0x7bc/0x2e80
|
||||
do_vfs_ioctl+0x13c/0x1300
|
||||
ksys_ioctl+0x94/0x130
|
||||
sys_ioctl+0x48/0xb0
|
||||
system_call+0x5c/0x68
|
||||
|
||||
Check if alloc_percpu returns NULL.
|
||||
|
||||
This was found by syzkaller both on x86 and powerpc, and the reproducer
|
||||
it found on powerpc is capable of hitting the issue as an unprivileged
|
||||
user.
|
||||
|
||||
Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
|
||||
Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com
|
||||
Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com
|
||||
Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com
|
||||
Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
|
||||
Acked-by: David Rientjes <rientjes@google.com>
|
||||
Cc: Akash Goel <akash.goel@intel.com>
|
||||
Cc: Andrew Donnellan <ajd@linux.ibm.com>
|
||||
Cc: Guenter Roeck <linux@roeck-us.net>
|
||||
Cc: Salvatore Bonaccorso <carnil@debian.org>
|
||||
Cc: <stable@vger.kernel.org> [4.10+]
|
||||
Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/relay.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/kernel/relay.c b/kernel/relay.c
|
||||
index 90c7a002436d..dc82705e1cff 100644
|
||||
--- a/kernel/relay.c
|
||||
+++ b/kernel/relay.c
|
||||
@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename,
|
||||
return NULL;
|
||||
|
||||
chan->buf = alloc_percpu(struct rchan_buf *);
|
||||
+ if (!chan->buf) {
|
||||
+ kfree(chan);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
chan->version = RELAYFS_CHANNEL_VERSION;
|
||||
chan->n_subbufs = n_subbufs;
|
||||
chan->subbuf_size = subbuf_size;
|
||||
--
|
||||
2.27.0.rc0
|
||||
|
|
@ -308,5 +308,6 @@ bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
|
|||
bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
|
||||
bugfix/all/netlabel-cope-with-NULL-catmap.patch
|
||||
bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch
|
||||
bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
|
Loading…
Reference in New Issue