From 717d00497f7e762951d63002b1346ee50397256d Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Mon, 2 Feb 2015 09:36:08 +0100
Subject: target: CVE-2014-4027

Explicitly clear ramdisk_mcp backend pages

Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4027
http://permalink.gmane.org/gmane.linux.scsi.target.devel/6618

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 .../linux/files/target-CVE-2014-4027.patch         | 46 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq-sdk.bbappend      |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 recipes-kernel/linux/files/target-CVE-2014-4027.patch

diff --git a/recipes-kernel/linux/files/target-CVE-2014-4027.patch b/recipes-kernel/linux/files/target-CVE-2014-4027.patch
new file mode 100644
index 0000000..5b9cc2b
--- /dev/null
+++ b/recipes-kernel/linux/files/target-CVE-2014-4027.patch
@@ -0,0 +1,46 @@
+From 43507abd621cb72b55142e7b18a4aa77a19aa3f3 Mon Sep 17 00:00:00 2001
+From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
+Date: Mon, 16 Jun 2014 20:59:52 +0000
+Subject: [PATCH] target: Explicitly clear ramdisk_mcp backend pages
+
+[Note that a different patch to address the same issue went in during
+v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
+don't strictly apply to fixing the bug]
+
+This patch changes rd_allocate_sgl_table() to explicitly clear
+ramdisk_mcp backend memory pages by passing __GFP_ZERO into
+alloc_pages().
+
+This addresses a potential security issue where reading from a
+ramdisk_mcp could return sensitive information, and follows what
+>= v3.15 does to explicitly clear ramdisk_mcp memory at backend
+device initialization time.
+
+This fixes CVE-2014-4027
+Upstream-Status: Backport
+
+Reported-by: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
+Cc: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/target/target_core_rd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
+index 0921a64..5c3b6778 100644
+--- a/drivers/target/target_core_rd.c
++++ b/drivers/target/target_core_rd.c
+@@ -174,7 +174,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev)
+ 						- 1;
+ 
+ 		for (j = 0; j < sg_per_table; j++) {
+-			pg = alloc_pages(GFP_KERNEL, 0);
++			pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
+ 			if (!pg) {
+ 				pr_err("Unable to allocate scatterlist"
+ 					" pages for struct rd_dev_sg_table\n");
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq-sdk.bbappend b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
index a78f575..281c87e 100644
--- a/recipes-kernel/linux/linux-qoriq-sdk.bbappend
+++ b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
@@ -44,6 +44,7 @@ SRC_URI += "file://add-no-error-uninitialized.patch \
     file://net-sctp-CVE-2014-7841.patch \
     file://0001-ALSA-CVE-2014-4656.patch \
     file://0002-ALSA-CVE-2014-4656.patch \
+    file://target-CVE-2014-4027.patch \
     "
 
 SRC_URI_append_p2041rdb = " \
-- 
cgit v1.2.3-54-g00ecf