From 112edaf87ad6789f56dde1aafb4ce61a14757705 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 29 Dec 2015 10:00:21 +0100
Subject: vhost driver: CVE-2015-6252

Fixes a flaw in the Linux kernel's vhost driver.
A privileged local user with access to the /dev/vhost-net
files could use this flaw to create a denial-of-service attack.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6252
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-6252
http://www.openwall.com/lists/oss-security/2015/08/18/3

Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../linux/files/vhost-CVE-2015-6252.patch          | 33 ++++++++++++++++++++++
 recipes-kernel/linux/linux-yocto_3.14.bbappend     |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 recipes-kernel/linux/files/vhost-CVE-2015-6252.patch

diff --git a/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch b/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch
new file mode 100644
index 0000000..658fed1
--- /dev/null
+++ b/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch
@@ -0,0 +1,33 @@
+From 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 Mon Sep 17 00:00:00 2001
+Date: Fri, 17 Jul 2015 15:32:03 +0200
+Subject: vhost: actually track log eventfd file
+
+While reviewing vhost log code, I found out that log_file is never
+set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
+
+Fixes CVE-2015-6252.
+Upstream-Status: Backport
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/vhost/vhost.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index a9fe859..95bdb90 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -995,6 +995,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
+ 		}
+ 		if (eventfp != d->log_file) {
+ 			filep = d->log_file;
++			d->log_file = eventfp;
+ 			ctx = d->log_ctx;
+ 			d->log_ctx = eventfp ?
+ 				eventfd_ctx_fileget(eventfp) : NULL;
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 90bb462..f865fcb 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -10,4 +10,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://fs-CVE-2015-5706.patch \
             file://drivers-scsi-CVE-2015-5707.patch \
             file://md-CVE-2015-5697.patch \
+            file://vhost-CVE-2015-6252.patch \
            "
-- 
cgit v1.2.3-54-g00ecf