From 1ab831fc573b2a6db71d41fe0f0e47b643cbc863 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Fri, 8 Jan 2016 15:05:53 +0100
Subject: splice-CVE-2014-7822

Fixes lack of generic write checks.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7822

Upstrem fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=b292fc7723b66d9796ae550b284223d95019ac44

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
---
 .../files/splice-CVE-2014-7822-3.14-kernel.patch   | 78 ++++++++++++++++++++++
 recipes-kernel/linux/linux-yocto_3.14.bbappend     |  1 +
 2 files changed, 79 insertions(+)
 create mode 100644 recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch

diff --git a/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch b/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch
new file mode 100644
index 0000000..e84da04
--- /dev/null
+++ b/recipes-kernel/linux/files/splice-CVE-2014-7822-3.14-kernel.patch
@@ -0,0 +1,78 @@
+From b292fc7723b66d9796ae550b284223d95019ac44 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check().  This was not being done for
+the splice write path.  It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+Upstream-Status: Backport
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Vinson Lee <vlee@twopensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c     | 8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 7fe30f6..35f54bc 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2478,9 +2478,7 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 
+@@ -2490,6 +2488,12 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+ 			out->f_path.dentry->d_name.len,
+ 			out->f_path.dentry->d_name.name, len);
+ 
++	ret = generic_write_checks(out, ppos, &len, 0);
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	pipe_lock(pipe);
+ 
+ 	splice_from_pipe_begin(&sd);
+diff --git a/fs/splice.c b/fs/splice.c
+index 12028fa..f345d53 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 	ssize_t ret;
+ 
++	ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	pipe_lock(pipe);
+ 
+ 	splice_from_pipe_begin(&sd);
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 56b8288..0f6b5f1 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -1,6 +1,7 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
 SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
+            file://splice-CVE-2014-7822-3.14-kernel.patch \
             file://keys-CVE-2015-1333.patch \
             file://udp_fix_behavior_of_wrong_checksums.patch \
             file://net-CVE-2015-2041.patch \
-- 
cgit v1.2.3-54-g00ecf