From 867b652db42ff8fa41b3c25e7ef9df48003ea4eb Mon Sep 17 00:00:00 2001 From: Joe Lawrence Date: Tue, 6 Jul 2021 13:18:41 -0400 Subject: [PATCH] seq_files: kpatch fix for CVE-2021-33909 Kernels: 4.18.0-305.el8 4.18.0-305.3.1.el8_4 4.18.0-305.7.1.el8_4 Changes since last build: [x86_64]: seq_file.o: changed function: seq_read seq_file.o: changed function: single_open_size seq_file.o: changed function: traverse [ppc64le]: seq_file.o: changed function: seq_read seq_file.o: changed function: single_open_size seq_file.o: changed function: traverse.part.4 --------------------------- Kernels: 4.18.0-305.el8 4.18.0-305.3.1.el8_4 4.18.0-305.7.1.el8_4 Modifications: none commit 217fcaff73c6916b817280df9310852192026615 Author: Ian Kent Date: Thu Jul 1 08:10:39 2021 +0800 seq_file: Disallow extremely large seq buffer allocations Bugzilla: https://bugzilla.redhat.com/1975181 CVE: CVE-2021-33909 Y-Commit: 61d17175cddbac1f305c2704b336c9119b71bbfe O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975182 Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37831839 Testing: The patch has been tested by Qualys and it has been confirmed the patch fixes the problem. Upstream status: RHEL only (CVE-2021-33909) Author: Eric Sandeen seq_file: Disallow extremely large seq buffer allocations There is no reasonable need for a buffer larger than this, and it avoids int overflow pitfalls. Suggested-by: Al Viro Signed-off-by: Eric Sandeen Signed-off-by: Ian Kent Signed-off-by: Frantisek Hrbata Signed-off-by: Joe Lawrence Acked-by: Yannick Cote Acked-by: Artem Savkov --- fs/seq_file.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/seq_file.c b/fs/seq_file.c index 1600034a929bb1..c19ecc1f2d5023 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -29,6 +29,9 @@ static void seq_set_overflow(struct seq_file *m) static void *seq_buf_alloc(unsigned long size) { + if (unlikely(size > MAX_RW_COUNT)) + return NULL; + return kvmalloc(size, GFP_KERNEL_ACCOUNT); } -- 2.26.3