From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 8 Mar 2019 12:45:08 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v5.0.1~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=207f07a3f6c38e1dd95a5400f66e0580d0a64039;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	exec-fix-mem-leak-in-kernel_read_file.patch
---

diff --git a/queue-4.9/exec-fix-mem-leak-in-kernel_read_file.patch b/queue-4.9/exec-fix-mem-leak-in-kernel_read_file.patch
new file mode 100644
index 00000000000..35870814753
--- /dev/null
+++ b/queue-4.9/exec-fix-mem-leak-in-kernel_read_file.patch
@@ -0,0 +1,51 @@
+From f612acfae86af7ecad754ae6a46019be9da05b8e Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 19 Feb 2019 10:10:38 +0800
+Subject: exec: Fix mem leak in kernel_read_file
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit f612acfae86af7ecad754ae6a46019be9da05b8e upstream.
+
+syzkaller report this:
+BUG: memory leak
+unreferenced object 0xffffc9000488d000 (size 9195520):
+  comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
+  hex dump (first 32 bytes):
+    ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
+    02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
+  backtrace:
+    [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
+    [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
+    [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
+    [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
+    [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
+    [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
+    [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+    [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+    [<00000000241f889b>] 0xffffffffffffffff
+
+It should goto 'out_free' lable to free allocated buf while kernel_read
+fails.
+
+Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Thibaut Sautereau <thibaut@sautereau.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/exec.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -938,7 +938,7 @@ int kernel_read_file(struct file *file,
+ 				    i_size - pos);
+ 		if (bytes < 0) {
+ 			ret = bytes;
+-			goto out;
++			goto out_free;
+ 		}
+ 
+ 		if (bytes == 0)
diff --git a/queue-4.9/series b/queue-4.9/series
index 88c6296e66a..4d0a8afdd6d 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -30,3 +30,4 @@ applicom-fix-potential-spectre-v1-vulnerabilities.patch
 mips-irq-allocate-accurate-order-pages-for-irq-stack.patch
 hugetlbfs-fix-races-and-page-leaks-during-migration.patch
 xtensa-fix-get_wchan.patch
+exec-fix-mem-leak-in-kernel_read_file.patch