kernel/drivers/ppp: CVE-2015-8569

Fixes an out-of-bounds flaw in the kernel where the length of the
sockaddr parameter was not checked in the pptp_bind() and pptp_connect()
functions. A local system user could exploit this flaw to bypass
kernel ASLR or leak other information.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8569
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=d470ffbe3fe914d176ced4cf330a297c523c5711

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>

2 files changed, 47 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-ls1/ppp-CVE-2015-8569.patch b/recipes-kernel/linux/linux-ls1/ppp-CVE-2015-8569.patch
new file mode 100644
index 0000000..2593ce6
--- /dev/null
+++ b/recipes-kernel/linux/linux-ls1/ppp-CVE-2015-8569.patch
@@ -0,0 +1,46 @@
+From d470ffbe3fe914d176ced4cf330a297c523c5711 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 14 Dec 2015 13:48:36 -0800
+Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
+
+[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ]
+
+CVE: CVE-2015-8569
+Upstream-Status: Backport
+
+Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/ppp/pptp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
+index 1dc628f..0710214 100644
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
+        struct pptp_opt *opt = &po->proto.pptp;
+        int error = 0;
+ 
++       if (sockaddr_len < sizeof(struct sockaddr_pppox))
++               return -EINVAL;
++
+        lock_sock(sk);
+ 
+        opt->src_addr = sp->sa_addr.pptp;
+@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
+        struct flowi4 fl4;
+        int error = 0;
+ 
++       if (sockaddr_len < sizeof(struct sockaddr_pppox))
++               return -EINVAL;
++
+        if (sp->sa_protocol != PX_PROTO_PPTP)
+                return -EINVAL;
+ 
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend
index e0c7a91..0214dda 100644
--- a/recipes-kernel/linux/linux-ls1_3.12.bbappend
+++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -5,6 +5,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://ls1021aiot.dts \
             file://0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch \
             file://0002-watchdog-fix-errata-err004346.patch \
+            file://ppp-CVE-2015-8569.patch \
            "
 
 # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"