From 66bb24cffa127f106bb79e25e60aacb61fe63352 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Fri, 21 Sep 2018 08:34:53 +0200
Subject: linux-intel: Fix for CVE-2018-16658

Fix for both linux-intel and linux-intel-rt.

References:
https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt
https://nvd.nist.gov/vuln/detail/CVE-2018-16658

Change-Id: Icaa55f0e2167ee5a72b253bae4cb00d5708d66d1
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 recipes-kernel/linux/linux-intel-rt_4.14.bbappend  |  1 +
 .../linux/linux-intel/CVE-2018-16658.patch         | 42 ++++++++++++++++++++++
 recipes-kernel/linux/linux-intel_4.14.bbappend     |  7 +++-
 3 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 recipes-kernel/linux/linux-intel/CVE-2018-16658.patch

diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
index 2b8d8d9..b7934cf 100644
--- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -12,6 +12,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s
                    file://CVE-2018-13094.patch \
                    file://CVE-2018-15572.patch \
                    file://CVE-2018-9363.patch \
+                   file://CVE-2018-16658.patch \
                  "
 
 # Debug tools support
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-16658.patch b/recipes-kernel/linux/linux-intel/CVE-2018-16658.patch
new file mode 100644
index 0000000..d6dc109
--- /dev/null
+++ b/recipes-kernel/linux/linux-intel/CVE-2018-16658.patch
@@ -0,0 +1,42 @@
+From 73b2e7073b51de0b03ebd15c97dd3ad0c3470810 Mon Sep 17 00:00:00 2001
+From: Scott Bauer <scott.bauer@intel.com>
+Date: Thu, 26 Apr 2018 11:51:08 -0600
+Subject: [PATCH] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status
+
+commit 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4 upstream.
+
+Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()"
+
+There is another cast from unsigned long to int which causes
+a bounds check to fail with specially crafted input. The value is
+then used as an index in the slot array in cdrom_slot_status().
+
+CVE: CVE-2018-16658
+Upstream-Status: Backport
+
+Signed-off-by: Scott Bauer <scott.bauer@intel.com>
+Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index bfc566d..8cfa10ab 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2542,7 +2542,7 @@ static int cdrom_ioctl_drive_status(struct cdrom_device_info *cdi,
+ 	if (!CDROM_CAN(CDC_SELECT_DISC) ||
+ 	    (arg == CDSL_CURRENT || arg == CDSL_NONE))
+ 		return cdi->ops->drive_status(cdi, CDSL_CURRENT);
+-	if (((int)arg >= cdi->capacity))
++	if (arg >= cdi->capacity)
+ 		return -EINVAL;
+ 	return cdrom_slot_status(cdi, arg);
+ }
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-intel_4.14.bbappend b/recipes-kernel/linux/linux-intel_4.14.bbappend
index e91f5c1..36e0307 100644
--- a/recipes-kernel/linux/linux-intel_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel_4.14.bbappend
@@ -1,8 +1,13 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-intel:"
+
 require recipes-kernel/linux/linux-deploy-kconfig.inc
 
 SRCREV_metaenea = "8a4b6e91f12d927b3b486892c50a4ad2bcdb29d2"
 KENEABRANCH = "intel-4.14"
-SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta"
+SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
+                   file://CVE-2018-16658.patch \
+                 "
 
 KERNEL_FEATURES_append = " features/x2apic/x2apic.scc"
 
-- 
cgit v1.2.3-54-g00ecf