|
|
e91b83 |
From 867b652db42ff8fa41b3c25e7ef9df48003ea4eb Mon Sep 17 00:00:00 2001
|
|
|
e91b83 |
From: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
e91b83 |
Date: Tue, 6 Jul 2021 13:18:41 -0400
|
|
|
e91b83 |
Subject: [PATCH] seq_files: kpatch fix for CVE-2021-33909
|
|
|
e91b83 |
|
|
|
e91b83 |
Kernels:
|
|
|
e91b83 |
4.18.0-305.el8
|
|
|
e91b83 |
4.18.0-305.3.1.el8_4
|
|
|
e91b83 |
4.18.0-305.7.1.el8_4
|
|
|
e91b83 |
|
|
|
e91b83 |
Changes since last build:
|
|
|
e91b83 |
[x86_64]:
|
|
|
e91b83 |
seq_file.o: changed function: seq_read
|
|
|
e91b83 |
seq_file.o: changed function: single_open_size
|
|
|
e91b83 |
seq_file.o: changed function: traverse
|
|
|
e91b83 |
|
|
|
e91b83 |
[ppc64le]:
|
|
|
e91b83 |
seq_file.o: changed function: seq_read
|
|
|
e91b83 |
seq_file.o: changed function: single_open_size
|
|
|
e91b83 |
seq_file.o: changed function: traverse.part.4
|
|
|
e91b83 |
|
|
|
e91b83 |
---------------------------
|
|
|
e91b83 |
|
|
|
e91b83 |
Kernels:
|
|
|
e91b83 |
4.18.0-305.el8
|
|
|
e91b83 |
4.18.0-305.3.1.el8_4
|
|
|
e91b83 |
4.18.0-305.7.1.el8_4
|
|
|
e91b83 |
|
|
|
e91b83 |
Modifications: none
|
|
|
e91b83 |
|
|
|
e91b83 |
commit 217fcaff73c6916b817280df9310852192026615
|
|
|
e91b83 |
Author: Ian Kent <ikent@redhat.com>
|
|
|
e91b83 |
Date: Thu Jul 1 08:10:39 2021 +0800
|
|
|
e91b83 |
|
|
|
e91b83 |
seq_file: Disallow extremely large seq buffer allocations
|
|
|
e91b83 |
|
|
|
e91b83 |
Bugzilla: https://bugzilla.redhat.com/1975181
|
|
|
e91b83 |
CVE: CVE-2021-33909
|
|
|
e91b83 |
Y-Commit: 61d17175cddbac1f305c2704b336c9119b71bbfe
|
|
|
e91b83 |
|
|
|
e91b83 |
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975182
|
|
|
e91b83 |
Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37831839
|
|
|
e91b83 |
Testing: The patch has been tested by Qualys and it has been
|
|
|
e91b83 |
confirmed the patch fixes the problem.
|
|
|
e91b83 |
Upstream status: RHEL only (CVE-2021-33909)
|
|
|
e91b83 |
|
|
|
e91b83 |
Author: Eric Sandeen <sandeen@redhat.com>
|
|
|
e91b83 |
|
|
|
e91b83 |
seq_file: Disallow extremely large seq buffer allocations
|
|
|
e91b83 |
|
|
|
e91b83 |
There is no reasonable need for a buffer larger than this,
|
|
|
e91b83 |
and it avoids int overflow pitfalls.
|
|
|
e91b83 |
|
|
|
e91b83 |
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
|
e91b83 |
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
|
|
e91b83 |
|
|
|
e91b83 |
Signed-off-by: Ian Kent <ikent@redhat.com>
|
|
|
e91b83 |
Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com>
|
|
|
e91b83 |
|
|
|
e91b83 |
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
e91b83 |
Acked-by: Yannick Cote <ycote@redhat.com>
|
|
|
e91b83 |
Acked-by: Artem Savkov <asavkov@redhat.com>
|
|
|
e91b83 |
---
|
|
|
e91b83 |
fs/seq_file.c | 3 +++
|
|
|
e91b83 |
1 file changed, 3 insertions(+)
|
|
|
e91b83 |
|
|
|
e91b83 |
diff --git a/fs/seq_file.c b/fs/seq_file.c
|
|
|
e91b83 |
index 1600034a929bb1..c19ecc1f2d5023 100644
|
|
|
e91b83 |
--- a/fs/seq_file.c
|
|
|
e91b83 |
+++ b/fs/seq_file.c
|
|
|
e91b83 |
@@ -29,6 +29,9 @@ static void seq_set_overflow(struct seq_file *m)
|
|
|
e91b83 |
|
|
|
e91b83 |
static void *seq_buf_alloc(unsigned long size)
|
|
|
e91b83 |
{
|
|
|
e91b83 |
+ if (unlikely(size > MAX_RW_COUNT))
|
|
|
e91b83 |
+ return NULL;
|
|
|
e91b83 |
+
|
|
|
e91b83 |
return kvmalloc(size, GFP_KERNEL_ACCOUNT);
|
|
|
e91b83 |
}
|
|
|
e91b83 |
|
|
|
e91b83 |
--
|
|
|
e91b83 |
2.26.3
|
|
|
e91b83 |
|