kernel-fs: CVE-2015-5706

Fixes double fput(). References: =========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5706 CVE assignment: http://seclists.org/oss-sec/2015/q3/270 Upstream/original fix: ====================== https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=88b4f377466cb673777d27693acf70108a908106 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-29 10:00:18 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-12-29 23:26:20 +0100
commit: af15989919f43e13e027fb698f5fefe4c73eb8de (patch)
tree: 841e5d7c733164d64ef4c979521db4af7b4bf51f
parent: 6139644280195f8fb7d59b713f3d226a84b21665 (diff)
download: meta-enea-af15989919f43e13e027fb698f5fefe4c73eb8de.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-CVE-2015-5706.patch b/recipes-kernel/linux/files/fs-CVE-2015-5706.patch
new file mode 100644
index 0000000..ef1951f
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-CVE-2015-5706.patch
@@ -0,0 +1,45 @@
+From 88b4f377466cb673777d27693acf70108a908106 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 8 May 2015 22:53:15 -0400
+Subject: path_openat(): fix double fput()
+commit f15133df088ecadd141ea1907f2c96df67c729f0 upstream.
+path_openat() jumps to the wrong place after do_tmpfile() - it has
+already done path_cleanup() (as part of path_lookupat() called by
+do_tmpfile()), so doing that again can lead to double fput().
+Fixes CVE-2015-5706.
+Upstream-Status: Backport
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/fs/namei.c b/fs/namei.c
+index ccb8000..c6fa079 100644
+--- a/fs/namei.c
+++ b/fs/namei.c
+@@ -3171,7 +3171,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+ 
+        if (unlikely(file->f_flags & __O_TMPFILE)) {
+                error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
+-               goto out;
+               goto out2;
+        }
+ 
+        error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base);
+@@ -3209,6 +3209,7 @@ out:
+                path_put(&nd->root);
+        if (base)
+                fput(base);
+out2:
+        if (!(opened & FILE_OPENED)) {
+                BUG_ON(!error);
+                put_filp(file);
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 001026f..7078d4e 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
            file://IB-uverbs-CVE-2014-8159.patch \
            file://net-sctp-CVE-2015-1421.patch \
            file://fs-CVE-2015-3339.patch \
+            file://fs-CVE-2015-5706.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-29 10:00:18 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-12-29 23:26:20 +0100
commit	af15989919f43e13e027fb698f5fefe4c73eb8de (patch)
tree	841e5d7c733164d64ef4c979521db4af7b4bf51f
parent	6139644280195f8fb7d59b713f3d226a84b21665 (diff)
download	meta-enea-af15989919f43e13e027fb698f5fefe4c73eb8de.tar.gz

diff --git a/recipes-kernel/linux/files/fs-CVE-2015-5706.patch b/recipes-kernel/linux/files/fs-CVE-2015-5706.patch new file mode 100644 index 0000000..ef1951f --- /dev/null +++ b/recipes-kernel/linux/files/fs-CVE-2015-5706.patch
@@ -0,0 +1,45 @@
		1	From 88b4f377466cb673777d27693acf70108a908106 Mon Sep 17 00:00:00 2001
		2	From: Al Viro <viro@zeniv.linux.org.uk>
		3	Date: Fri, 8 May 2015 22:53:15 -0400
		4	Subject: path_openat(): fix double fput()
		5
		6	commit f15133df088ecadd141ea1907f2c96df67c729f0 upstream.
		7
		8	path_openat() jumps to the wrong place after do_tmpfile() - it has
		9	already done path_cleanup() (as part of path_lookupat() called by
		10	do_tmpfile()), so doing that again can lead to double fput().
		11
		12	Fixes CVE-2015-5706.
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
		16	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		18	---
		19	fs/namei.c \| 3 ++-
		20	1 file changed, 2 insertions(+), 1 deletion(-)
		21
		22	diff --git a/fs/namei.c b/fs/namei.c
		23	index ccb8000..c6fa079 100644
		24	--- a/fs/namei.c
		25	+++ b/fs/namei.c
		26	@@ -3171,7 +3171,7 @@ static struct file path_openat(int dfd, struct filename pathname,
		27
		28	if (unlikely(file->f_flags & __O_TMPFILE)) {
		29	error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
		30	- goto out;
		31	+ goto out2;
		32	}
		33
		34	error = path_init(dfd, pathname->name, flags \| LOOKUP_PARENT, nd, &base);
		35	@@ -3209,6 +3209,7 @@ out:
		36	path_put(&nd->root);
		37	if (base)
		38	fput(base);
		39	+out2:
		40	if (!(opened & FILE_OPENED)) {
		41	BUG_ON(!error);
		42	put_filp(file);
		43	--
		44	cgit v0.11.2
		45


diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 001026f..7078d4e 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
7	file://IB-uverbs-CVE-2014-8159.patch \	7	file://IB-uverbs-CVE-2014-8159.patch \
8	file://net-sctp-CVE-2015-1421.patch \	8	file://net-sctp-CVE-2015-1421.patch \
9	file://fs-CVE-2015-3339.patch \	9	file://fs-CVE-2015-3339.patch \
		10	file://fs-CVE-2015-5706.patch \
10	"	11	"