Fix CVE-2018-12714 (rhbz 1595835 1595837)
This commit is contained in:
parent
4342af80cf
commit
cbe47dcd6f
|
@ -0,0 +1,64 @@
|
|||
From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001
|
||||
From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
|
||||
Date: Thu, 21 Jun 2018 13:20:53 -0400
|
||||
Subject: [PATCH] tracing: Check for no filter when processing event filters
|
||||
|
||||
The syzkaller detected a out-of-bounds issue with the events filter code,
|
||||
specifically here:
|
||||
|
||||
prog[N].pred = NULL; /* #13 */
|
||||
prog[N].target = 1; /* TRUE */
|
||||
prog[N+1].pred = NULL;
|
||||
prog[N+1].target = 0; /* FALSE */
|
||||
-> prog[N-1].target = N;
|
||||
prog[N-1].when_to_branch = false;
|
||||
|
||||
As that's the first reference to a "N-1" index, it appears that the code got
|
||||
here with N = 0, which means the filter parser found no filter to parse
|
||||
(which shouldn't ever happen, but apparently it did).
|
||||
|
||||
Add a new error to the parsing code that will check to make sure that N is
|
||||
not zero before going into this part of the code. If N = 0, then -EINVAL is
|
||||
returned, and a error message is added to the filter.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
|
||||
Reported-by: air icy <icytxw@gmail.com>
|
||||
bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
|
||||
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
|
||||
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
||||
---
|
||||
kernel/trace/trace_events_filter.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
|
||||
index e1c818dbc0d7..0dceb77d1d42 100644
|
||||
--- a/kernel/trace/trace_events_filter.c
|
||||
+++ b/kernel/trace/trace_events_filter.c
|
||||
@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
|
||||
C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \
|
||||
C(INVALID_FILTER, "Meaningless filter expression"), \
|
||||
C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \
|
||||
- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"),
|
||||
+ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \
|
||||
+ C(NO_FILTER, "No filter found"),
|
||||
|
||||
#undef C
|
||||
#define C(a, b) FILT_ERR_##a
|
||||
@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
+ if (!N) {
|
||||
+ /* No program? */
|
||||
+ ret = -EINVAL;
|
||||
+ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
|
||||
+ goto out_free;
|
||||
+ }
|
||||
+
|
||||
prog[N].pred = NULL; /* #13 */
|
||||
prog[N].target = 1; /* TRUE */
|
||||
prog[N+1].pred = NULL;
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -657,6 +657,9 @@ Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
|
|||
# rhbz 1591516
|
||||
Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch
|
||||
|
||||
# CVE-2018-12714 rhbz 1595835 1595837
|
||||
Patch516: CVE-2018-12714.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1906,6 +1909,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Jun 28 2018 Jeremy Cline <jeremy@jcline.org>
|
||||
- Fix CVE-2018-12714 (rhbz 1595835 1595837)
|
||||
|
||||
* Tue Jun 26 2018 Jeremy Cline <jcline@redhat.com> - 4.17.3-100
|
||||
- Linux v4.17.3
|
||||
- Don't log an error if RTC_NVMEM isn't enabled (rhbz 1568276)
|
||||
|
|
Loading…
Reference in New Issue