diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-02-09 07:12:43 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-02-10 01:14:24 +0100 |
commit | 743d7ed8232663977b19c0887561a6204bea3e5b (patch) | |
tree | 2371b51ac22a51ef289bda3c4cc88c2faba8a92c | |
parent | 8f34b8efbd344ab53d0757e5a08cbf9778191d9b (diff) | |
download | meta-enea-743d7ed8232663977b19c0887561a6204bea3e5b.tar.gz |
drivers-scsi: CVE-2015-5707
Fixes a bug in the scsi block request handling code in
function start_req().
References:
===========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5707
http://www.openwall.com/lists/oss-security/2015/08/01/6
Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=aba300b9c26f063efcaee374e54264c79a611f22
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-qoriq-3.12/drivers-scsi-CVE-2015-5707.patch | 45 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq-common.inc | 1 |
2 files changed, 46 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-qoriq-3.12/drivers-scsi-CVE-2015-5707.patch b/recipes-kernel/linux/linux-qoriq-3.12/drivers-scsi-CVE-2015-5707.patch new file mode 100644 index 0000000..3b1455f --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq-3.12/drivers-scsi-CVE-2015-5707.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From aba300b9c26f063efcaee374e54264c79a611f22 Mon Sep 17 00:00:00 2001 | ||
2 | From: Al Viro <viro@zeniv.linux.org.uk> | ||
3 | Date: Sat, 21 Mar 2015 20:08:18 -0400 | ||
4 | Subject: sg_start_req(): make sure that there's not too many elements in iovec | ||
5 | |||
6 | commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream. | ||
7 | |||
8 | unfortunately, allowing an arbitrary 16bit value means a possibility of | ||
9 | overflow in the calculation of total number of pages in bio_map_user_iov() - | ||
10 | we rely on there being no more than PAGE_SIZE members of sum in the | ||
11 | first loop there. If that sum wraps around, we end up allocating | ||
12 | too small array of pointers to pages and it's easy to overflow it in | ||
13 | the second loop. | ||
14 | |||
15 | Fixes CVE-2015-5707. | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> | ||
19 | [bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit | ||
20 | fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't | ||
21 | have that function.] | ||
22 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
23 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
24 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
25 | --- | ||
26 | drivers/scsi/sg.c | 3 +++ | ||
27 | 1 file changed, 3 insertions(+) | ||
28 | |||
29 | diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c | ||
30 | index eb81c98..721d839 100644 | ||
31 | --- a/drivers/scsi/sg.c | ||
32 | +++ b/drivers/scsi/sg.c | ||
33 | @@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) | ||
34 | md->from_user = 0; | ||
35 | } | ||
36 | |||
37 | + if (unlikely(iov_count > UIO_MAXIOV)) | ||
38 | + return -EINVAL; | ||
39 | + | ||
40 | if (iov_count) { | ||
41 | int len, size = sizeof(struct sg_iovec) * iov_count; | ||
42 | struct iovec *iov; | ||
43 | -- | ||
44 | cgit v0.12 | ||
45 | |||
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 8e8e1c4..3b4a203 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc | |||
@@ -21,6 +21,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \ | |||
21 | file://virtio-net-CVE-2015-5156.patch \ | 21 | file://virtio-net-CVE-2015-5156.patch \ |
22 | file://ipc-CVE-2015-7613.patch \ | 22 | file://ipc-CVE-2015-7613.patch \ |
23 | file://net-rds-CVE-2015-2042.patch \ | 23 | file://net-rds-CVE-2015-2042.patch \ |
24 | file://drivers-scsi-CVE-2015-5707.patch \ | ||
24 | " | 25 | " |
25 | 26 | ||
26 | SRC_URI += "file://cfg/00013-localversion.cfg \ | 27 | SRC_URI += "file://cfg/00013-localversion.cfg \ |