From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 30 Jun 2015 00:42:14 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.83~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=585678b518958a5b7c99cd9597ab59388c68ba2f;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	splice-apply-generic-position-and-size-checks-to-each-write.patch
---

diff --git a/queue-3.14/series b/queue-3.14/series
index f1ae9731088..23be11d3e9d 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -11,3 +11,4 @@ hpsa-add-missing-pci_set_master-in-kdump-path.patch
 x86-microcode-intel-guard-against-stack-overflow-in-the-loader.patch
 btrfs-make-xattr-replace-operations-atomic.patch
 net-mlx4_en-don-t-attempt-to-tx-offload-the-outer-udp-checksum-for-vxlan.patch
+splice-apply-generic-position-and-size-checks-to-each-write.patch
diff --git a/queue-3.14/splice-apply-generic-position-and-size-checks-to-each-write.patch b/queue-3.14/splice-apply-generic-position-and-size-checks-to-each-write.patch
new file mode 100644
index 00000000000..ff91c0225f8
--- /dev/null
+++ b/queue-3.14/splice-apply-generic-position-and-size-checks-to-each-write.patch
@@ -0,0 +1,72 @@
+From 894c6350eaad7e613ae267504014a456e00a3e2a Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check().  This was not being done for
+the splice write path.  It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Vinson Lee <vlee@twopensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/file.c |    8 ++++++--
+ fs/splice.c     |    8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2478,9 +2478,7 @@ static ssize_t ocfs2_file_splice_write(s
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 
+@@ -2490,6 +2488,12 @@ static ssize_t ocfs2_file_splice_write(s
+ 			out->f_path.dentry->d_name.len,
+ 			out->f_path.dentry->d_name.name, len);
+ 
++	ret = generic_write_checks(out, ppos, &len, 0);
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	pipe_lock(pipe);
+ 
+ 	splice_from_pipe_begin(&sd);
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_in
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 	ssize_t ret;
+ 
++	ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	pipe_lock(pipe);
+ 
+ 	splice_from_pipe_begin(&sd);