3.14-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 30 Jun 2015 00:42:14 +0000 (17:42 -0700)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 30 Jun 2015 00:42:14 +0000 (17:42 -0700)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 30 Jun 2015 00:42:14 +0000 (17:42 -0700)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 30 Jun 2015 00:42:14 +0000 (17:42 -0700)
diff --git a/queue-3.14/series b/queue-3.14/series

index f1ae97310886ba519e0a08fcf5154048af26bdc7..23be11d3e9d704c9396f7f592d92379440672158 100644 (file)
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -11,3 +11,4 @@ hpsa-add-missing-pci_set_master-in-kdump-path.patch
  x86-microcode-intel-guard-against-stack-overflow-in-the-loader.patch
  btrfs-make-xattr-replace-operations-atomic.patch
  net-mlx4_en-don-t-attempt-to-tx-offload-the-outer-udp-checksum-for-vxlan.patch
+splice-apply-generic-position-and-size-checks-to-each-write.patch
diff --git a/queue-3.14/splice-apply-generic-position-and-size-checks-to-each-write.patch b/queue-3.14/splice-apply-generic-position-and-size-checks-to-each-write.patch

new file mode 100644 (file)

index 0000000..ff91c02
--- /dev/null
+++ b/queue-3.14/splice-apply-generic-position-and-size-checks-to-each-write.patch
@@ -0,0 +1,72 @@
+From 894c6350eaad7e613ae267504014a456e00a3e2a Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check().  This was not being done for
+the splice write path.  It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Vinson Lee <vlee@twopensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/file.c |    8 ++++++--
+ fs/splice.c     |    8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2478,9 +2478,7 @@ static ssize_t ocfs2_file_splice_write(s
+       struct address_space *mapping = out->f_mapping;
+       struct inode *inode = mapping->host;
+       struct splice_desc sd = {
+-              .total_len = len,
+               .flags = flags,
+-              .pos = *ppos,
+               .u.file = out,
+       };
+ 
+@@ -2490,6 +2488,12 @@ static ssize_t ocfs2_file_splice_write(s
+                       out->f_path.dentry->d_name.len,
+                       out->f_path.dentry->d_name.name, len);
+ 
++      ret = generic_write_checks(out, ppos, &len, 0);
++      if (ret)
++              return ret;
++      sd.total_len = len;
++      sd.pos = *ppos;
++
+       pipe_lock(pipe);
+ 
+       splice_from_pipe_begin(&sd);
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_in
+       struct address_space *mapping = out->f_mapping;
+       struct inode *inode = mapping->host;
+       struct splice_desc sd = {
+-              .total_len = len,
+               .flags = flags,
+-              .pos = *ppos,
+               .u.file = out,
+       };
+       ssize_t ret;
+ 
++      ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++      if (ret)
++              return ret;
++      sd.total_len = len;
++      sd.pos = *ppos;
++
+       pipe_lock(pipe);
+ 
+       splice_from_pipe_begin(&sd);
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 30 Jun 2015 00:42:14 +0000 (17:42 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 30 Jun 2015 00:42:14 +0000 (17:42 -0700)
queue-3.14/series		patch \| blob \| blame \| history
queue-3.14/splice-apply-generic-position-and-size-checks-to-each-write.patch	[new file with mode: 0644]	patch \| blob