Fix CVE-2018-7995 CVE-2018-8043
This commit is contained in:
parent
986e2bf640
commit
2770e4161e
|
@ -0,0 +1,44 @@
|
|||
From 297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 Mon Sep 17 00:00:00 2001
|
||||
From: Wei Yongjun <weiyongjun1@huawei.com>
|
||||
Date: Thu, 11 Jan 2018 11:21:51 +0000
|
||||
Subject: [PATCH] net: phy: mdio-bcm-unimac: fix potential NULL dereference in
|
||||
unimac_mdio_probe()
|
||||
|
||||
platform_get_resource() may fail and return NULL, so we should
|
||||
better check it's return value to avoid a NULL pointer dereference
|
||||
a bit later in the code.
|
||||
|
||||
This is detected by Coccinelle semantic patch.
|
||||
|
||||
@@
|
||||
expression pdev, res, n, t, e, e1, e2;
|
||||
@@
|
||||
|
||||
res = platform_get_resource(pdev, t, n);
|
||||
+ if (!res)
|
||||
+ return -EINVAL;
|
||||
... when != res == NULL
|
||||
e = devm_ioremap(e1, res->start, e2);
|
||||
|
||||
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/phy/mdio-bcm-unimac.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c
|
||||
index 08e0647b85e2..8d370667fa1b 100644
|
||||
--- a/drivers/net/phy/mdio-bcm-unimac.c
|
||||
+++ b/drivers/net/phy/mdio-bcm-unimac.c
|
||||
@@ -205,6 +205,8 @@ static int unimac_mdio_probe(struct platform_device *pdev)
|
||||
return -ENOMEM;
|
||||
|
||||
r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
|
||||
+ if (!r)
|
||||
+ return -EINVAL;
|
||||
|
||||
/* Just ioremap, as this MDIO block is usually integrated into an
|
||||
* Ethernet MAC controller register range
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -0,0 +1,114 @@
|
|||
From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001
|
||||
From: Seunghun Han <kkamagui@gmail.com>
|
||||
Date: Tue, 6 Mar 2018 15:21:43 +0100
|
||||
Subject: [PATCH] x86/MCE: Serialize sysfs changes
|
||||
|
||||
The check_interval file in
|
||||
|
||||
/sys/devices/system/machinecheck/machinecheck<cpu number>
|
||||
|
||||
directory is a global timer value for MCE polling. If it is changed by one
|
||||
CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
|
||||
the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
|
||||
mce_timer variable.
|
||||
|
||||
If more than one CPU writes a specific value to the check_interval file
|
||||
concurrently, mce_timer is not protected from such concurrent accesses and
|
||||
all kinds of explosions happen. Since only root can write to those sysfs
|
||||
variables, the issue is not a big deal security-wise.
|
||||
|
||||
However, concurrent writes to these configuration variables is void of
|
||||
reason so the proper thing to do is to serialize the access with a mutex.
|
||||
|
||||
Boris:
|
||||
|
||||
- Make store_int_with_restart() use device_store_ulong() to filter out
|
||||
negative intervals
|
||||
- Limit min interval to 1 second
|
||||
- Correct locking
|
||||
- Massage commit message
|
||||
|
||||
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Cc: Tony Luck <tony.luck@intel.com>
|
||||
Cc: linux-edac <linux-edac@vger.kernel.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
|
||||
---
|
||||
arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
index b3323cab9139..466f47301334 100644
|
||||
--- a/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
@@ -56,6 +56,9 @@
|
||||
|
||||
static DEFINE_MUTEX(mce_log_mutex);
|
||||
|
||||
+/* sysfs synchronization */
|
||||
+static DEFINE_MUTEX(mce_sysfs_mutex);
|
||||
+
|
||||
#define CREATE_TRACE_POINTS
|
||||
#include <trace/events/mce.h>
|
||||
|
||||
@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s,
|
||||
if (kstrtou64(buf, 0, &new) < 0)
|
||||
return -EINVAL;
|
||||
|
||||
+ mutex_lock(&mce_sysfs_mutex);
|
||||
if (mca_cfg.ignore_ce ^ !!new) {
|
||||
if (new) {
|
||||
/* disable ce features */
|
||||
@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s,
|
||||
on_each_cpu(mce_enable_ce, (void *)1, 1);
|
||||
}
|
||||
}
|
||||
+ mutex_unlock(&mce_sysfs_mutex);
|
||||
+
|
||||
return size;
|
||||
}
|
||||
|
||||
@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s,
|
||||
if (kstrtou64(buf, 0, &new) < 0)
|
||||
return -EINVAL;
|
||||
|
||||
+ mutex_lock(&mce_sysfs_mutex);
|
||||
if (mca_cfg.cmci_disabled ^ !!new) {
|
||||
if (new) {
|
||||
/* disable cmci */
|
||||
@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s,
|
||||
on_each_cpu(mce_enable_ce, NULL, 1);
|
||||
}
|
||||
}
|
||||
+ mutex_unlock(&mce_sysfs_mutex);
|
||||
+
|
||||
return size;
|
||||
}
|
||||
|
||||
@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s,
|
||||
struct device_attribute *attr,
|
||||
const char *buf, size_t size)
|
||||
{
|
||||
- ssize_t ret = device_store_int(s, attr, buf, size);
|
||||
+ unsigned long old_check_interval = check_interval;
|
||||
+ ssize_t ret = device_store_ulong(s, attr, buf, size);
|
||||
+
|
||||
+ if (check_interval == old_check_interval)
|
||||
+ return ret;
|
||||
+
|
||||
+ if (check_interval < 1)
|
||||
+ check_interval = 1;
|
||||
+
|
||||
+ mutex_lock(&mce_sysfs_mutex);
|
||||
mce_restart();
|
||||
+ mutex_unlock(&mce_sysfs_mutex);
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
10
kernel.spec
10
kernel.spec
|
@ -639,6 +639,12 @@ Patch657: ipmi-fixes.patch
|
|||
# CVE-2018-7757 rhbz 1553361 1553363
|
||||
Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
|
||||
|
||||
# CVE-2018-7995 rhbz 1553911 1553918
|
||||
Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch
|
||||
|
||||
# CVE-2018-8043 rhbz 1554199 1554200
|
||||
Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1937,6 +1943,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Mar 12 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2018-7995 (rhbz 1553911 1553918)
|
||||
- Fix CVE-2018-8043 (rhbz 1554199 1554200)
|
||||
|
||||
* Fri Mar 09 2018 Laura Abbott <labbott@redhat.com> - 4.15.8-300
|
||||
- Linux v4.15.8
|
||||
|
||||
|
|
Loading…
Reference in New Issue