drivers-scsi: CVE-2015-5707

Fixes a bug in the scsi block request handling code in
function start_req().

References:
===========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5707
http://www.openwall.com/lists/oss-security/2015/08/01/6

Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=08ac1787579cb8bd9e7333836269e76801905597

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>

2 files changed, 45 insertions, 0 deletions

diff --git a/recipes-kernel/linux/files/drivers-scsi-CVE-2015-5707.patch b/recipes-kernel/linux/files/drivers-scsi-CVE-2015-5707.patch
new file mode 100644
index 0000000..6927d45
--- /dev/null
+++ b/recipes-kernel/linux/files/drivers-scsi-CVE-2015-5707.patch
@@ -0,0 +1,44 @@
+From 08ac1787579cb8bd9e7333836269e76801905597 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Subject: sg_start_req(): make sure that there's not too many elements in iovec
+
+commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
+
+unfortunately, allowing an arbitrary 16bit value means a possibility of
+overflow in the calculation of total number of pages in bio_map_user_iov() -
+we rely on there being no more than PAGE_SIZE members of sum in the
+first loop there.  If that sum wraps around, we end up allocating
+too small array of pointers to pages and it's easy to overflow it in
+the second loop.
+
+Fixes CVE-2015-5707.
+Upstream-Status: Backport
+
+X-Coverup: TINC (and there's no lumber cartel either)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
+ fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
+  that function.]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/scsi/sg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index eb81c98..721d839 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
+                        md->from_user = 0;
+        }
+ 
++       if (unlikely(iov_count > UIO_MAXIOV))
++               return -EINVAL;
++
+        if (iov_count) {
+                int len, size = sizeof(struct sg_iovec) * iov_count;
+                struct iovec *iov;
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 7078d4e..2baf78e 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -8,4 +8,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://net-sctp-CVE-2015-1421.patch \
             file://fs-CVE-2015-3339.patch \
             file://fs-CVE-2015-5706.patch \
+            file://drivers-scsi-CVE-2015-5707.patch \
            "