From b03530492a27f14a49010d411e9b8d753b7fe48a Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 20 Nov 2015 12:54:04 +0100 Subject: kernel: net: CVE-2015-2041 Fixes information leak in llc2_timeout_table. References: http://www.openwall.com/lists/oss-security/2015/02/20/19 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2041 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=ecca64226ce2960280921e09ae33e90f82b5c408 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- recipes-kernel/linux/files/net-CVE-2015-2041.patch | 62 ++++++++++++++++++++++ recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 + 2 files changed, 63 insertions(+) create mode 100644 recipes-kernel/linux/files/net-CVE-2015-2041.patch diff --git a/recipes-kernel/linux/files/net-CVE-2015-2041.patch b/recipes-kernel/linux/files/net-CVE-2015-2041.patch new file mode 100644 index 0000000..e0754cd --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2015-2041.patch @@ -0,0 +1,62 @@ +From ecca64226ce2960280921e09ae33e90f82b5c408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2015 20:47:00 -0500 +Subject: [PATCH] net: llc: use correct size for sysctl timeout entries + +commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream. + +The timeout entries are sizeof(int) rather than sizeof(long), which +means that when they were getting read we'd also leak kernel memory +to userspace along with the timeout values. + +Fixes CVE-2015-2041 +Upstream-Status: Backport + +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + net/llc/sysctl_net_llc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c +index 612a5dd..799bafc 100644 +--- a/net/llc/sysctl_net_llc.c ++++ b/net/llc/sysctl_net_llc.c +@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = { + { + .procname = "ack", + .data = &sysctl_llc2_ack_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_ack_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, + { + .procname = "busy", + .data = &sysctl_llc2_busy_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_busy_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, + { + .procname = "p", + .data = &sysctl_llc2_p_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_p_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, + { + .procname = "rej", + .data = &sysctl_llc2_rej_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_rej_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index bab3136..5b7cdf3 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend @@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ file://keys-CVE-2015-1333.patch \ file://udp_fix_behavior_of_wrong_checksums.patch \ + file://net-CVE-2015-2041.patch \ " -- cgit v1.2.3-54-g00ecf