Fix CVE-2018-7757 (rhbz 1553361 1553363)

0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch

@@ -0,0 +1,40 @@
+From 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 Mon Sep 17 00:00:00 2001
+From: Jason Yan <yanaijie@huawei.com>
+Date: Thu, 4 Jan 2018 21:04:31 +0800
+Subject: [PATCH] scsi: libsas: fix memory leak in sas_smp_get_phy_events()
+
+We've got a memory leak with the following producer:
+
+while true;
+do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
+done
+
+The buffer req is allocated and not freed after we return. Fix it.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+CC: John Garry <john.garry@huawei.com>
+CC: chenqilin <chenqilin2@huawei.com>
+CC: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/libsas/sas_expander.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index ca1566237ae7..1de59c0fdbc0 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -695,6 +695,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
+ 	phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
+
+  out:
++	kfree(req);
+ 	kfree(resp);
+ 	return res;
+
+-- 
+2.14.3
+

kernel.spec

@@ -642,6 +642,9 @@ Patch656: 0001-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch
 # rhbz 1549316
 Patch657: ipmi-fixes.patch
 
+# CVE-2018-7757 rhbz 1553361 1553363
+Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1940,6 +1943,9 @@ fi
 #
 #
 %changelog
+* Thu Mar 08 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-7757 (rhbz 1553361 1553363)
+
 * Tue Mar 06 2018 Laura Abbott <labbott@redhat.com>
 - Fixes for IPMI crash (rbhz 1549316)