From cbe47dcd6f8bac735325796b43f27d07555e1d89 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Jun 28 2018 13:26:53 +0000 Subject: Fix CVE-2018-12714 (rhbz 1595835 1595837) --- diff --git a/CVE-2018-12714.patch b/CVE-2018-12714.patch new file mode 100644 index 0000000..d3df531 --- /dev/null +++ b/CVE-2018-12714.patch @@ -0,0 +1,64 @@ +From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 21 Jun 2018 13:20:53 -0400 +Subject: [PATCH] tracing: Check for no filter when processing event filters + +The syzkaller detected a out-of-bounds issue with the events filter code, +specifically here: + + prog[N].pred = NULL; /* #13 */ + prog[N].target = 1; /* TRUE */ + prog[N+1].pred = NULL; + prog[N+1].target = 0; /* FALSE */ +-> prog[N-1].target = N; + prog[N-1].when_to_branch = false; + +As that's the first reference to a "N-1" index, it appears that the code got +here with N = 0, which means the filter parser found no filter to parse +(which shouldn't ever happen, but apparently it did). + +Add a new error to the parsing code that will check to make sure that N is +not zero before going into this part of the code. If N = 0, then -EINVAL is +returned, and a error message is added to the filter. + +Cc: stable@vger.kernel.org +Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") +Reported-by: air icy +bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019 +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Jeremy Cline +--- + kernel/trace/trace_events_filter.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c +index e1c818dbc0d7..0dceb77d1d42 100644 +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -78,7 +78,8 @@ static const char * ops[] = { OPS }; + C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \ + C(INVALID_FILTER, "Meaningless filter expression"), \ + C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \ +- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), ++ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \ ++ C(NO_FILTER, "No filter found"), + + #undef C + #define C(a, b) FILT_ERR_##a +@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, + goto out_free; + } + ++ if (!N) { ++ /* No program? */ ++ ret = -EINVAL; ++ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str); ++ goto out_free; ++ } ++ + prog[N].pred = NULL; /* #13 */ + prog[N].target = 1; /* TRUE */ + prog[N+1].pred = NULL; +-- +2.17.1 + diff --git a/kernel.spec b/kernel.spec index 79cae2b..8e58fea 100644 --- a/kernel.spec +++ b/kernel.spec @@ -657,6 +657,9 @@ Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch # rhbz 1591516 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch +# CVE-2018-12714 rhbz 1595835 1595837 +Patch516: CVE-2018-12714.patch + # END OF PATCH DEFINITIONS %endif @@ -1906,6 +1909,9 @@ fi # # %changelog +* Thu Jun 28 2018 Jeremy Cline +- Fix CVE-2018-12714 (rhbz 1595835 1595837) + * Tue Jun 26 2018 Jeremy Cline - 4.17.3-100 - Linux v4.17.3 - Don't log an error if RTC_NVMEM isn't enabled (rhbz 1568276)