Fix CVE-2018-7995 CVE-2018-8043

2018-03-12 08:18:40 -05:00 · 2018-03-12 08:18:40 -05:00 · 2770e4161e
parent 986e2bf640
commit 2770e4161e
3 changed files with 168 additions and 0 deletions
--- a/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
+++ b/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
@ -0,0 +1,44 @@
+From 297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Thu, 11 Jan 2018 11:21:51 +0000
+Subject: [PATCH] net: phy: mdio-bcm-unimac: fix potential NULL dereference in
+ unimac_mdio_probe()
+
+platform_get_resource() may fail and return NULL, so we should
+better check it's return value to avoid a NULL pointer dereference
+a bit later in the code.
+
+This is detected by Coccinelle semantic patch.
+
+@@
+expression pdev, res, n, t, e, e1, e2;
+@@
+
+res = platform_get_resource(pdev, t, n);
+ if (!res)
+   return -EINVAL;
+... when != res == NULL
+e = devm_ioremap(e1, res->start, e2);
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/phy/mdio-bcm-unimac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c
+index 08e0647b85e2..8d370667fa1b 100644
+--- a/drivers/net/phy/mdio-bcm-unimac.c
+++ b/drivers/net/phy/mdio-bcm-unimac.c
+@@ -205,6 +205,8 @@ static int unimac_mdio_probe(struct platform_device *pdev)
+ 		return -ENOMEM;
+
+ 	r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+	if (!r)
+		return -EINVAL;
+
+ 	/* Just ioremap, as this MDIO block is usually integrated into an
+ 	 * Ethernet MAC controller register range
+-- 
+2.14.3
+
--- a/0001-x86-MCE-Serialize-sysfs-changes.patch
+++ b/0001-x86-MCE-Serialize-sysfs-changes.patch
@ -0,0 +1,114 @@
+From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 6 Mar 2018 15:21:43 +0100
+Subject: [PATCH] x86/MCE: Serialize sysfs changes
+
+The check_interval file in
+
+  /sys/devices/system/machinecheck/machinecheck<cpu number>
+
+directory is a global timer value for MCE polling. If it is changed by one
+CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
+the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
+mce_timer variable.
+
+If more than one CPU writes a specific value to the check_interval file
+concurrently, mce_timer is not protected from such concurrent accesses and
+all kinds of explosions happen. Since only root can write to those sysfs
+variables, the issue is not a big deal security-wise.
+
+However, concurrent writes to these configuration variables is void of
+reason so the proper thing to do is to serialize the access with a mutex.
+
+Boris:
+
+ - Make store_int_with_restart() use device_store_ulong() to filter out
+   negative intervals
+ - Limit min interval to 1 second
+ - Correct locking
+ - Massage commit message
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
+index b3323cab9139..466f47301334 100644
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -56,6 +56,9 @@
+
+ static DEFINE_MUTEX(mce_log_mutex);
+
+/* sysfs synchronization */
+static DEFINE_MUTEX(mce_sysfs_mutex);
+
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/mce.h>
+
+@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s,
+ 	if (kstrtou64(buf, 0, &new) < 0)
+ 		return -EINVAL;
+
+	mutex_lock(&mce_sysfs_mutex);
+ 	if (mca_cfg.ignore_ce ^ !!new) {
+ 		if (new) {
+ 			/* disable ce features */
+@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s,
+ 			on_each_cpu(mce_enable_ce, (void *)1, 1);
+ 		}
+ 	}
+	mutex_unlock(&mce_sysfs_mutex);
+
+ 	return size;
+ }
+
+@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s,
+ 	if (kstrtou64(buf, 0, &new) < 0)
+ 		return -EINVAL;
+
+	mutex_lock(&mce_sysfs_mutex);
+ 	if (mca_cfg.cmci_disabled ^ !!new) {
+ 		if (new) {
+ 			/* disable cmci */
+@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s,
+ 			on_each_cpu(mce_enable_ce, NULL, 1);
+ 		}
+ 	}
+	mutex_unlock(&mce_sysfs_mutex);
+
+ 	return size;
+ }
+
+@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s,
+ 				      struct device_attribute *attr,
+ 				      const char *buf, size_t size)
+ {
+-	ssize_t ret = device_store_int(s, attr, buf, size);
+	unsigned long old_check_interval = check_interval;
+	ssize_t ret = device_store_ulong(s, attr, buf, size);
+
+	if (check_interval == old_check_interval)
+		return ret;
+
+	if (check_interval < 1)
+		check_interval = 1;
+
+	mutex_lock(&mce_sysfs_mutex);
+ 	mce_restart();
+	mutex_unlock(&mce_sysfs_mutex);
+
+ 	return ret;
+ }
+
+-- 
+2.14.3
+
--- a/kernel.spec
+++ b/kernel.spec
@ -639,6 +639,12 @@ Patch657: ipmi-fixes.patch
 # CVE-2018-7757 rhbz 1553361 1553363
 Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch

+# CVE-2018-7995 rhbz 1553911 1553918
+Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch
+
+# CVE-2018-8043 rhbz 1554199 1554200
+Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1937,6 +1943,10 @@ fi
 #
 #
 %changelog
+* Mon Mar 12 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-7995 (rhbz 1553911 1553918)
+- Fix CVE-2018-8043 (rhbz 1554199 1554200)
+
 * Fri Mar 09 2018 Laura Abbott <labbott@redhat.com> - 4.15.8-300
 - Linux v4.15.8