From 8bd62a6ded78e4a1116e23fb66bb5103f856bf89 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Fri, 17 Jun 2016 10:18:40 +0200
Subject: kernel: block/floppy: CVE-2014-1737, CVE-2014-1738

Fixes privilege escalation via FDRAWCMD floppy ioctl command

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738

Reference to upstream fixes:
CVE-2014-1737:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=21506304588afab20b2d52aaa56b70e85aca6386

CVE-2014-1738:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=50c648e394a0968f19d448b70bec82da88219963

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../linux/files/floppy-CVE-2014-1737.patch         | 51 ++++++++++++++++++++++
 .../linux/files/floppy-CVE-2014-1738.patch         | 41 +++++++++++++++++
 recipes-kernel/linux/linux-qoriq-sdk.bbappend      |  2 +
 3 files changed, 94 insertions(+)
 create mode 100644 recipes-kernel/linux/files/floppy-CVE-2014-1737.patch
 create mode 100644 recipes-kernel/linux/files/floppy-CVE-2014-1738.patch

diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch
new file mode 100644
index 0000000..d358e19
--- /dev/null
+++ b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch
@@ -0,0 +1,51 @@
+From 21506304588afab20b2d52aaa56b70e85aca6386 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:20 +1200
+Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
+
+commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
+
+Always clear out these floppy_raw_cmd struct members after copying the
+entire structure from userspace so that the in-kernel version is always
+valid and never left in an interdeterminate state.
+
+CVE: CVE-2014-1737
+Upstream-Status: Backport
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/block/floppy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 04ceb7e..1a8ab67 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3107,10 +3107,11 @@ loop:
+ 		return -ENOMEM;
+ 	*rcmd = ptr;
+ 	ret = copy_from_user(ptr, param, sizeof(*ptr));
+-	if (ret)
+-		return -EFAULT;
+ 	ptr->next = NULL;
+ 	ptr->buffer_length = 0;
++	ptr->kernel_data = NULL;
++	if (ret)
++		return -EFAULT;
+ 	param += sizeof(struct floppy_raw_cmd);
+ 	if (ptr->cmd_count > 33)
+ 			/* the command may now also take up the space
+@@ -3126,7 +3127,6 @@ loop:
+ 	for (i = 0; i < 16; i++)
+ 		ptr->reply[i] = 0;
+ 	ptr->resultcode = 0;
+-	ptr->kernel_data = NULL;
+ 
+ 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ 		if (ptr->length <= 0)
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch
new file mode 100644
index 0000000..fa93391
--- /dev/null
+++ b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch
@@ -0,0 +1,41 @@
+From 50c648e394a0968f19d448b70bec82da88219963 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:21 +1200
+Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
+
+commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
+
+Do not leak kernel-only floppy_raw_cmd structure members to userspace.
+This includes the linked-list pointer and the pointer to the allocated
+DMA space.
+
+CVE: CVE-2014-1738
+Upstream-Status: Backport
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/block/floppy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 1a8ab67..eb3575b 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
+ 	int ret;
+ 
+ 	while (ptr) {
+-		ret = copy_to_user(param, ptr, sizeof(*ptr));
++		struct floppy_raw_cmd cmd = *ptr;
++		cmd.next = NULL;
++		cmd.kernel_data = NULL;
++		ret = copy_to_user(param, &cmd, sizeof(cmd));
+ 		if (ret)
+ 			return -EFAULT;
+ 		param += sizeof(struct floppy_raw_cmd);
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq-sdk.bbappend b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
index 0568d58..c3ded18 100644
--- a/recipes-kernel/linux/linux-qoriq-sdk.bbappend
+++ b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
@@ -20,6 +20,8 @@ SRC_URI += "file://add-no-error-uninitialized.patch \
     file://fs-CVE-2013-4247.patch \
     file://net-CVE-2013-4348.patch \
     file://virt-kvm-CVE-2013-4587.patch \
+    file://floppy-CVE-2014-1737.patch \
+    file://floppy-CVE-2014-1738.patch \
     file://Fix-CVE-2014-3153.patch \
     file://CVE-2014-0196_n_tty_write_crash.patch \
     file://Fix-CVE-2014-5471_CVE-2014-5472.patch \ 
-- 
cgit v1.2.3-54-g00ecf