From d01aa491489979c6907ae2d1d312f448a2ba8452 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 21 Aug 2018 07:51:19 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	isdn-disable-iiocdbgvar.patch
---
 queue-4.4/isdn-disable-iiocdbgvar.patch | 41 +++++++++++++++++++++++++
 queue-4.4/series                        |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 queue-4.4/isdn-disable-iiocdbgvar.patch

diff --git a/queue-4.4/isdn-disable-iiocdbgvar.patch b/queue-4.4/isdn-disable-iiocdbgvar.patch
new file mode 100644
index 00000000000..b5d3fd3a3b1
--- /dev/null
+++ b/queue-4.4/isdn-disable-iiocdbgvar.patch
@@ -0,0 +1,41 @@
+From foo@baz Tue Aug 21 07:37:56 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 15 Aug 2018 12:14:05 -0700
+Subject: isdn: Disable IIOCDBGVAR
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ]
+
+It was possible to directly leak the kernel address where the isdn_dev
+structure pointer was stored. This is a kernel ASLR bypass for anyone
+with access to the ioctl. The code had been present since the beginning
+of git history, though this shouldn't ever be needed for normal operation,
+therefore remove it.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/i4l/isdn_common.c |    8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1655,13 +1655,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ 			} else
+ 				return -EINVAL;
+ 		case IIOCDBGVAR:
+-			if (arg) {
+-				if (copy_to_user(argp, &dev, sizeof(ulong)))
+-					return -EFAULT;
+-				return 0;
+-			} else
+-				return -EINVAL;
+-			break;
++			return -EINVAL;
+ 		default:
+ 			if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
+ 				cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
diff --git a/queue-4.4/series b/queue-4.4/series
index 93074b5b3c5..4044d93122f 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -19,3 +19,4 @@ acpi-pm-save-nvs-memory-for-asus-1025c-laptop.patch
 serial-8250_dw-always-set-baud-rate-in-dw8250_set_termios.patch
 x86-mm-simplify-pd_page-macros.patch
 bluetooth-avoid-killing-an-already-killed-socket.patch
+isdn-disable-iiocdbgvar.patch
-- 
2.47.3