Home Home > GIT Browse > SLE15-SP1
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Bogendoerfer <tbogendoerfer@suse.de>2019-07-30 13:23:38 +0200
committerThomas Bogendoerfer <tbogendoerfer@suse.de>2019-07-30 13:23:38 +0200
commit1773cb431c16cf5c3eaa57cb09b7f30b8288974f (patch)
tree42324d7f00393252f1ce2779d4262cc231e0637b
parent64567831de1562f59df1d99c298cb9be133c39e6 (diff)
IB/mlx5: Fix leaking stack memory to userspace (bsc#1143045
CVE-2018-20855).
-rw-r--r--patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch30
-rw-r--r--series.conf1
2 files changed, 31 insertions, 0 deletions
diff --git a/patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch b/patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch
new file mode 100644
index 0000000000..b9702b9a5b
--- /dev/null
+++ b/patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch
@@ -0,0 +1,30 @@
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Tue, 14 Aug 2018 15:33:52 -0600
+Subject: IB/mlx5: Fix leaking stack memory to userspace
+Patch-mainline: v4.19-rc1
+Git-commit: 0625b4ba1a5d4703c7fb01c497bd6c156908af00
+References: bsc#1143045 CVE-2018-20855
+
+mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
+were written.
+
+Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
+Cc: <stable@vger.kernel.org>
+Acked-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1524,7 +1524,7 @@ static int create_qp_common(struct mlx5_
+ struct mlx5_ib_resources *devr = &dev->devr;
+ int inlen = MLX5_ST_SZ_BYTES(create_qp_in);
+ struct mlx5_core_dev *mdev = dev->mdev;
+- struct mlx5_ib_create_qp_resp resp;
++ struct mlx5_ib_create_qp_resp resp = {};
+ struct mlx5_ib_cq *send_cq;
+ struct mlx5_ib_cq *recv_cq;
+ unsigned long flags;
diff --git a/series.conf b/series.conf
index 78d45c6635..4b9b6ff314 100644
--- a/series.conf
+++ b/series.conf
@@ -18738,6 +18738,7 @@
patches.drivers/rdma-cxgb4-Remove-a-set-but-not-used-variable.patch
patches.drivers/IB-IPoIB-Set-ah-valid-flag-in-multicast-send-flow.patch
patches.drivers/rdma-cxgb4-fix-some-info-leaks.patch
+ patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch
patches.fixes/dax-remove-VM_MIXEDMAP-for-fsdax-and-device-dax.patch
patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch
patches.suse/mm-page_alloc-double-zone-s-batchsize.patch