From 147471be70bc9a36185725e7aa7ec76c406a8500 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 21 Aug 2018 07:50:48 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	isdn-disable-iiocdbgvar.patch
---
 queue-3.18/isdn-disable-iiocdbgvar.patch | 41 ++++++++++++++++++++++++
 queue-3.18/series                        |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 queue-3.18/isdn-disable-iiocdbgvar.patch

diff --git a/queue-3.18/isdn-disable-iiocdbgvar.patch b/queue-3.18/isdn-disable-iiocdbgvar.patch
new file mode 100644
index 00000000000..b5d3fd3a3b1
--- /dev/null
+++ b/queue-3.18/isdn-disable-iiocdbgvar.patch
@@ -0,0 +1,41 @@
+From foo@baz Tue Aug 21 07:37:56 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 15 Aug 2018 12:14:05 -0700
+Subject: isdn: Disable IIOCDBGVAR
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ]
+
+It was possible to directly leak the kernel address where the isdn_dev
+structure pointer was stored. This is a kernel ASLR bypass for anyone
+with access to the ioctl. The code had been present since the beginning
+of git history, though this shouldn't ever be needed for normal operation,
+therefore remove it.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/i4l/isdn_common.c |    8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1655,13 +1655,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ 			} else
+ 				return -EINVAL;
+ 		case IIOCDBGVAR:
+-			if (arg) {
+-				if (copy_to_user(argp, &dev, sizeof(ulong)))
+-					return -EFAULT;
+-				return 0;
+-			} else
+-				return -EINVAL;
+-			break;
++			return -EINVAL;
+ 		default:
+ 			if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
+ 				cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
diff --git a/queue-3.18/series b/queue-3.18/series
index 1dc9e06803a..7f2c82bf5d0 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -12,3 +12,4 @@ alsa-vxpocket-fix-invalid-endian-conversions.patch
 usb-serial-sierra-fix-potential-deadlock-at-close.patch
 serial-8250_dw-always-set-baud-rate-in-dw8250_set_termios.patch
 bluetooth-avoid-killing-an-already-killed-socket.patch
+isdn-disable-iiocdbgvar.patch
-- 
2.47.3