diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-08 15:05:53 +0100 |
---|---|---|
committer | Paul Vaduva <Paul.Vaduva@enea.com> | 2016-01-11 12:43:48 +0100 |
commit | 1ab831fc573b2a6db71d41fe0f0e47b643cbc863 (patch) | |
tree | c59476c9e01c12ff20369bda261ed69b06b3566a | |
parent | 0b64cd33374cca4353872ccc0b17531176c0d696 (diff) | |
download | meta-enea-1ab831fc573b2a6db71d41fe0f0e47b643cbc863.tar.gz |
splice-CVE-2014-7822
Fixes lack of generic write checks.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7822
Upstrem fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=b292fc7723b66d9796ae550b284223d95019ac44
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch | 78 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 79 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch b/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch new file mode 100644 index 0000000..e84da04 --- /dev/null +++ b/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From b292fc7723b66d9796ae550b284223d95019ac44 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ben Hutchings <ben@decadent.org.uk> | ||
3 | Date: Thu, 29 Jan 2015 02:50:33 +0000 | ||
4 | Subject: splice: Apply generic position and size checks to each write | ||
5 | |||
6 | commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch. | ||
7 | |||
8 | We need to check the position and size of file writes against various | ||
9 | limits, using generic_write_check(). This was not being done for | ||
10 | the splice write path. It was fixed upstream by commit 8d0207652cbe | ||
11 | ("->splice_write() via ->write_iter()") but we can't apply that. | ||
12 | |||
13 | CVE-2014-7822 | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
17 | Cc: Vinson Lee <vlee@twopensource.com> | ||
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
20 | --- | ||
21 | fs/ocfs2/file.c | 8 ++++++-- | ||
22 | fs/splice.c | 8 ++++++-- | ||
23 | 2 files changed, 12 insertions(+), 4 deletions(-) | ||
24 | |||
25 | diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c | ||
26 | index 7fe30f6..35f54bc 100644 | ||
27 | --- a/fs/ocfs2/file.c | ||
28 | +++ b/fs/ocfs2/file.c | ||
29 | @@ -2478,9 +2478,7 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe, | ||
30 | struct address_space *mapping = out->f_mapping; | ||
31 | struct inode *inode = mapping->host; | ||
32 | struct splice_desc sd = { | ||
33 | - .total_len = len, | ||
34 | .flags = flags, | ||
35 | - .pos = *ppos, | ||
36 | .u.file = out, | ||
37 | }; | ||
38 | |||
39 | @@ -2490,6 +2488,12 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe, | ||
40 | out->f_path.dentry->d_name.len, | ||
41 | out->f_path.dentry->d_name.name, len); | ||
42 | |||
43 | + ret = generic_write_checks(out, ppos, &len, 0); | ||
44 | + if (ret) | ||
45 | + return ret; | ||
46 | + sd.total_len = len; | ||
47 | + sd.pos = *ppos; | ||
48 | + | ||
49 | pipe_lock(pipe); | ||
50 | |||
51 | splice_from_pipe_begin(&sd); | ||
52 | diff --git a/fs/splice.c b/fs/splice.c | ||
53 | index 12028fa..f345d53 100644 | ||
54 | --- a/fs/splice.c | ||
55 | +++ b/fs/splice.c | ||
56 | @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out, | ||
57 | struct address_space *mapping = out->f_mapping; | ||
58 | struct inode *inode = mapping->host; | ||
59 | struct splice_desc sd = { | ||
60 | - .total_len = len, | ||
61 | .flags = flags, | ||
62 | - .pos = *ppos, | ||
63 | .u.file = out, | ||
64 | }; | ||
65 | ssize_t ret; | ||
66 | |||
67 | + ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode)); | ||
68 | + if (ret) | ||
69 | + return ret; | ||
70 | + sd.total_len = len; | ||
71 | + sd.pos = *ppos; | ||
72 | + | ||
73 | pipe_lock(pipe); | ||
74 | |||
75 | splice_from_pipe_begin(&sd); | ||
76 | -- | ||
77 | cgit v0.11.2 | ||
78 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 56b8288..0f6b5f1 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -1,6 +1,7 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | 1 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" |
2 | 2 | ||
3 | SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ | 3 | SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ |
4 | file://splice-CVE-2014-7822-3.14-kernel.patch \ | ||
4 | file://keys-CVE-2015-1333.patch \ | 5 | file://keys-CVE-2015-1333.patch \ |
5 | file://udp_fix_behavior_of_wrong_checksums.patch \ | 6 | file://udp_fix_behavior_of_wrong_checksums.patch \ |
6 | file://net-CVE-2015-2041.patch \ | 7 | file://net-CVE-2015-2041.patch \ |