diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-29 10:00:19 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-12-29 23:29:15 +0100 |
commit | fe643677a69c0d3d284be6d08bf200817468ecec (patch) | |
tree | 8687be0d661729375e095b2bee512855c9b1f418 | |
parent | af15989919f43e13e027fb698f5fefe4c73eb8de (diff) | |
download | meta-enea-fe643677a69c0d3d284be6d08bf200817468ecec.tar.gz |
drivers-scsi: CVE-2015-5707
Fixes a bug in the scsi block request handling code in
function start_req().
References:
===========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5707
http://www.openwall.com/lists/oss-security/2015/08/01/6
Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=08ac1787579cb8bd9e7333836269e76801905597
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/drivers-scsi-CVE-2015-5707.patch | 44 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/drivers-scsi-CVE-2015-5707.patch b/recipes-kernel/linux/files/drivers-scsi-CVE-2015-5707.patch new file mode 100644 index 0000000..6927d45 --- /dev/null +++ b/recipes-kernel/linux/files/drivers-scsi-CVE-2015-5707.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 08ac1787579cb8bd9e7333836269e76801905597 Mon Sep 17 00:00:00 2001 | ||
2 | From: Al Viro <viro@zeniv.linux.org.uk> | ||
3 | Subject: sg_start_req(): make sure that there's not too many elements in iovec | ||
4 | |||
5 | commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream. | ||
6 | |||
7 | unfortunately, allowing an arbitrary 16bit value means a possibility of | ||
8 | overflow in the calculation of total number of pages in bio_map_user_iov() - | ||
9 | we rely on there being no more than PAGE_SIZE members of sum in the | ||
10 | first loop there. If that sum wraps around, we end up allocating | ||
11 | too small array of pointers to pages and it's easy to overflow it in | ||
12 | the second loop. | ||
13 | |||
14 | Fixes CVE-2015-5707. | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | X-Coverup: TINC (and there's no lumber cartel either) | ||
18 | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> | ||
19 | [bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit | ||
20 | fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have | ||
21 | that function.] | ||
22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
23 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
24 | --- | ||
25 | drivers/scsi/sg.c | 3 +++ | ||
26 | 1 file changed, 3 insertions(+) | ||
27 | |||
28 | diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c | ||
29 | index eb81c98..721d839 100644 | ||
30 | --- a/drivers/scsi/sg.c | ||
31 | +++ b/drivers/scsi/sg.c | ||
32 | @@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) | ||
33 | md->from_user = 0; | ||
34 | } | ||
35 | |||
36 | + if (unlikely(iov_count > UIO_MAXIOV)) | ||
37 | + return -EINVAL; | ||
38 | + | ||
39 | if (iov_count) { | ||
40 | int len, size = sizeof(struct sg_iovec) * iov_count; | ||
41 | struct iovec *iov; | ||
42 | -- | ||
43 | cgit v0.11.2 | ||
44 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 7078d4e..2baf78e 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -8,4 +8,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
8 | file://net-sctp-CVE-2015-1421.patch \ | 8 | file://net-sctp-CVE-2015-1421.patch \ |
9 | file://fs-CVE-2015-3339.patch \ | 9 | file://fs-CVE-2015-3339.patch \ |
10 | file://fs-CVE-2015-5706.patch \ | 10 | file://fs-CVE-2015-5706.patch \ |
11 | file://drivers-scsi-CVE-2015-5707.patch \ | ||
11 | " | 12 | " |