Fix CVE-2018-12714 (rhbz 1595835 1595837)

2018-06-28 09:23:57 -04:00 · 2018-06-28 09:23:57 -04:00 · cbe47dcd6f
parent 4342af80cf
commit cbe47dcd6f
2 changed files with 70 additions and 0 deletions
--- a/CVE-2018-12714.patch
+++ b/CVE-2018-12714.patch
@ -0,0 +1,64 @@
+From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 21 Jun 2018 13:20:53 -0400
+Subject: [PATCH] tracing: Check for no filter when processing event filters
+
+The syzkaller detected a out-of-bounds issue with the events filter code,
+specifically here:
+
+	prog[N].pred = NULL;					/* #13 */
+	prog[N].target = 1;		/* TRUE */
+	prog[N+1].pred = NULL;
+	prog[N+1].target = 0;		/* FALSE */
+->	prog[N-1].target = N;
+	prog[N-1].when_to_branch = false;
+
+As that's the first reference to a "N-1" index, it appears that the code got
+here with N = 0, which means the filter parser found no filter to parse
+(which shouldn't ever happen, but apparently it did).
+
+Add a new error to the parsing code that will check to make sure that N is
+not zero before going into this part of the code. If N = 0, then -EINVAL is
+returned, and a error message is added to the filter.
+
+Cc: stable@vger.kernel.org
+Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
+Reported-by: air icy <icytxw@gmail.com>
+bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ kernel/trace/trace_events_filter.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
+index e1c818dbc0d7..0dceb77d1d42 100644
+--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
+@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
+ 	C(TOO_MANY_PREDS,	"Too many terms in predicate expression"), \
+ 	C(INVALID_FILTER,	"Meaningless filter expression"),	\
+ 	C(IP_FIELD_ONLY,	"Only 'ip' field is supported for function trace"), \
+-	C(INVALID_VALUE,	"Invalid value (did you forget quotes)?"),
+	C(INVALID_VALUE,	"Invalid value (did you forget quotes)?"), \
+	C(NO_FILTER,		"No filter found"),
+ 
+ #undef C
+ #define C(a, b)		FILT_ERR_##a
+@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
+ 		goto out_free;
+ 	}
+ 
+	if (!N) {
+		/* No program? */
+		ret = -EINVAL;
+		parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
+		goto out_free;
+	}
+
+ 	prog[N].pred = NULL;					/* #13 */
+ 	prog[N].target = 1;		/* TRUE */
+ 	prog[N+1].pred = NULL;
+-- 
+2.17.1
+
--- a/kernel.spec
+++ b/kernel.spec
@ -657,6 +657,9 @@ Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
 # rhbz 1591516
 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch

+# CVE-2018-12714 rhbz 1595835 1595837
+Patch516: CVE-2018-12714.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1906,6 +1909,9 @@ fi
 #
 #
 %changelog
+* Thu Jun 28 2018 Jeremy Cline <jeremy@jcline.org>
+- Fix CVE-2018-12714 (rhbz 1595835 1595837)
+
 * Tue Jun 26 2018 Jeremy Cline <jcline@redhat.com> - 4.17.3-100
 - Linux v4.17.3
 - Don't log an error if RTC_NVMEM isn't enabled (rhbz 1568276)