From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Nov 2017 09:30:36 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.84~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6057a2923097303a3051d8689f7dfb5f47a9cc1;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
---

diff --git a/queue-3.18/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch b/queue-3.18/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
new file mode 100644
index 00000000000..adf3024c955
--- /dev/null
+++ b/queue-3.18/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
@@ -0,0 +1,41 @@
+From d337b66a4c52c7b04eec661d86c2ef6e168965a2 Mon Sep 17 00:00:00 2001
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+Date: Wed, 27 Sep 2017 15:52:12 -0400
+Subject: coda: fix 'kernel memory exposure attempt' in fsync
+
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+
+commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream.
+
+When an application called fsync on a file in Coda a small request with
+just the file identifier was allocated, but the declared length was set
+to the size of union of all possible upcall requests.
+
+This bug has been around for a very long time and is now caught by the
+extra checking in usercopy that was introduced in Linux-4.8.
+
+The exposure happens when the Coda cache manager process reads the fsync
+upcall request at which point it is killed. As a result there is nobody
+servicing any further upcalls, trapping any processes that try to access
+the mounted Coda filesystem.
+
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coda/upcall.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/coda/upcall.c
++++ b/fs/coda/upcall.c
+@@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb,
+ 	UPARG(CODA_FSYNC);
+ 
+ 	inp->coda_fsync.VFid = *fid;
+-	error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs),
+-			    &outsize, inp);
++	error = coda_upcall(coda_vcp(sb), insize, &outsize, inp);
+ 
+ 	CODA_FREE(inp, insize);
+ 	return error;
diff --git a/queue-3.18/series b/queue-3.18/series
index 198c38672f0..74e1c8ac131 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -9,3 +9,4 @@ vlan-fix-a-use-after-free-in-vlan_device_event.patch
 ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch
 ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr.patch
 ipmi-fix-unsigned-long-underflow.patch
+coda-fix-kernel-memory-exposure-attempt-in-fsync.patch