From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 5 May 2017 22:35:41 +0000 (-0700)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.52~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=688621691571bb1618cd31e9bebcb736a417d165;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	dm-ioctl-prevent-stack-leak-in-dm-ioctl-call.patch
---

diff --git a/queue-4.9/dm-ioctl-prevent-stack-leak-in-dm-ioctl-call.patch b/queue-4.9/dm-ioctl-prevent-stack-leak-in-dm-ioctl-call.patch
new file mode 100644
index 00000000000..9e8521b6506
--- /dev/null
+++ b/queue-4.9/dm-ioctl-prevent-stack-leak-in-dm-ioctl-call.patch
@@ -0,0 +1,36 @@
+From 4617f564c06117c7d1b611be49521a4430042287 Mon Sep 17 00:00:00 2001
+From: Adrian Salido <salidoa@google.com>
+Date: Thu, 27 Apr 2017 10:32:55 -0700
+Subject: dm ioctl: prevent stack leak in dm ioctl call
+
+From: Adrian Salido <salidoa@google.com>
+
+commit 4617f564c06117c7d1b611be49521a4430042287 upstream.
+
+When calling a dm ioctl that doesn't process any data
+(IOCTL_FLAGS_NO_PARAMS), the contents of the data field in struct
+dm_ioctl are left initialized.  Current code is incorrectly extending
+the size of data copied back to user, causing the contents of kernel
+stack to be leaked to user.  Fix by only copying contents before data
+and allow the functions processing the ioctl to override.
+
+Signed-off-by: Adrian Salido <salidoa@google.com>
+Reviewed-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-ioctl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -1847,7 +1847,7 @@ static int ctl_ioctl(uint command, struc
+ 	if (r)
+ 		goto out;
+ 
+-	param->data_size = sizeof(*param);
++	param->data_size = offsetof(struct dm_ioctl, data);
+ 	r = fn(param, input_param_size);
+ 
+ 	if (unlikely(param->flags & DM_BUFFER_FULL_FLAG) &&
diff --git a/queue-4.9/series b/queue-4.9/series
index af721a62522..b5b976576c6 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -6,3 +6,4 @@ hwmon-it87-avoid-registering-the-same-chip-on-both-sio-addresses.patch
 8250_pci-fix-potential-use-after-free-in-error-path.patch
 ceph-try-getting-buffer-capability-for-readahead-fadvise.patch
 cpu-hotplug-serialize-callback-invocations-proper.patch
+dm-ioctl-prevent-stack-leak-in-dm-ioctl-call.patch