From ebe696fc7e7b93d0056372bf2e24bf09746d0f4a Mon Sep 17 00:00:00 2001 From: Paul Vaduva Date: Wed, 27 Apr 2016 15:27:21 +0200 Subject: ipc: fix compat msgrcv with negative msgtyp BugLink: http://bugs.launchpad.net/bugs/1393355 Compat function takes msgtyp argument as u32 and passes it down to do_msgrcv which results in casting to long, thus the sign is lost and we get a big positive number instead. Cast the argument to signed type before passing it down. Signed-off-by: Paul Vaduva --- ...pc-fix-compat-msgrcv-with-negative-msgtyp.patch | 27 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 recipes-kernel/linux/files/Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch diff --git a/recipes-kernel/linux/files/Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch b/recipes-kernel/linux/files/Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch new file mode 100644 index 0000000..b90a114 --- /dev/null +++ b/recipes-kernel/linux/files/Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch @@ -0,0 +1,27 @@ +BugLink: http://bugs.launchpad.net/bugs/1393355 + +Compat function takes msgtyp argument as u32 and passes it down to +do_msgrcv which results in casting to long, thus the sign is lost and we +get a big positive number instead. + +Cast the argument to signed type before passing it down. + +Signed-off-by: Mateusz Guzik +Reported-by: Gabriellla Schmidt + +Upstream-Status::Backport +Kernel 3.14 + +diff --git a/ipc/compat.c b/ipc/compat.c +index 892f658..d3b3760 100644 +--- a/ipc/compat.c ++++ b/ipc/compat.c +@@ -381,7 +381,7 @@ COMPAT_SYSCALL_DEFINE6(ipc, u32, call, int, first, int, second, + uptr = compat_ptr(ipck.msgp); + fifth = ipck.msgtyp; + } +- return do_msgrcv(first, uptr, second, fifth, third, ++ return do_msgrcv(first, uptr, second, (s32)fifth, third, + compat_do_msg_fill); + } + case MSGGET: diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 110d7ce..889c564 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -4,5 +4,6 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \ file://modify-defconfig-t1040-nr-cpus.patch \ file://net-sctp-CVE-2014-0101.patch \ file://0001-powerpc-Align-TOC-to-256-bytes.patch \ + file://Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch \ " SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813" -- cgit v1.2.3-54-g00ecf