drivers-scsi: CVE-2015-5707

Fixes a bug in the scsi block request handling code in
function start_req().

References:
===========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5707
http://www.openwall.com/lists/oss-security/2015/08/01/6

Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=aba300b9c26f063efcaee374e54264c79a611f22

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>

2 files changed, 46 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-qoriq-3.12/drivers-scsi-CVE-2015-5707.patch b/recipes-kernel/linux/linux-qoriq-3.12/drivers-scsi-CVE-2015-5707.patch
new file mode 100644
index 0000000..3b1455f
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-3.12/drivers-scsi-CVE-2015-5707.patch
@@ -0,0 +1,45 @@
+From aba300b9c26f063efcaee374e54264c79a611f22 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 21 Mar 2015 20:08:18 -0400
+Subject: sg_start_req(): make sure that there's not too many elements in iovec
+
+commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
+
+unfortunately, allowing an arbitrary 16bit value means a possibility of
+overflow in the calculation of total number of pages in bio_map_user_iov() -
+we rely on there being no more than PAGE_SIZE members of sum in the
+first loop there.  If that sum wraps around, we end up allocating
+too small array of pointers to pages and it's easy to overflow it in
+the second loop.
+
+Fixes CVE-2015-5707.
+Upstream-Status: Backport
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
+ fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't
+ have that function.]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/scsi/sg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index eb81c98..721d839 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
+                        md->from_user = 0;
+        }
+ 
++       if (unlikely(iov_count > UIO_MAXIOV))
++               return -EINVAL;
++
+        if (iov_count) {
+                int len, size = sizeof(struct sg_iovec) * iov_count;
+                struct iovec *iov;
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 8e8e1c4..3b4a203 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -21,6 +21,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
     file://virtio-net-CVE-2015-5156.patch \
     file://ipc-CVE-2015-7613.patch \
     file://net-rds-CVE-2015-2042.patch \
+    file://drivers-scsi-CVE-2015-5707.patch \
     "
 
 SRC_URI += "file://cfg/00013-localversion.cfg \