splice-CVE-2014-7822

Fixes lack of generic write checks.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7822

Upstrem fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=b292fc7723b66d9796ae550b284223d95019ac44

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>

2 files changed, 79 insertions, 0 deletions

diff --git a/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch b/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch
new file mode 100644
index 0000000..e84da04
--- /dev/null
+++ b/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch
@@ -0,0 +1,78 @@
+From b292fc7723b66d9796ae550b284223d95019ac44 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check().  This was not being done for
+the splice write path.  It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+Upstream-Status: Backport
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Vinson Lee <vlee@twopensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c     | 8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 7fe30f6..35f54bc 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2478,9 +2478,7 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+        struct address_space *mapping = out->f_mapping;
+        struct inode *inode = mapping->host;
+        struct splice_desc sd = {
+-               .total_len = len,
+                .flags = flags,
+-               .pos = *ppos,
+                .u.file = out,
+        };
+ 
+@@ -2490,6 +2488,12 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+                        out->f_path.dentry->d_name.len,
+                        out->f_path.dentry->d_name.name, len);
+ 
++       ret = generic_write_checks(out, ppos, &len, 0);
++       if (ret)
++               return ret;
++       sd.total_len = len;
++       sd.pos = *ppos;
++
+        pipe_lock(pipe);
+ 
+        splice_from_pipe_begin(&sd);
+diff --git a/fs/splice.c b/fs/splice.c
+index 12028fa..f345d53 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
+        struct address_space *mapping = out->f_mapping;
+        struct inode *inode = mapping->host;
+        struct splice_desc sd = {
+-               .total_len = len,
+                .flags = flags,
+-               .pos = *ppos,
+                .u.file = out,
+        };
+        ssize_t ret;
+ 
++       ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++       if (ret)
++               return ret;
++       sd.total_len = len;
++       sd.pos = *ppos;
++
+        pipe_lock(pipe);
+ 
+        splice_from_pipe_begin(&sd);
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 56b8288..0f6b5f1 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -1,6 +1,7 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
 SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
+            file://splice-CVE-2014-7822-3.14-kernel.patch \
             file://keys-CVE-2015-1333.patch \
             file://udp_fix_behavior_of_wrong_checksums.patch \
             file://net-CVE-2015-2041.patch \