4.4-stable patches

added patches:
	platform-chrome-cros_ec_dev-fix-security-issue.patch

diff --git a/queue-4.4/platform-chrome-cros_ec_dev-fix-security-issue.patch b/queue-4.4/platform-chrome-cros_ec_dev-fix-security-issue.patch
new file mode 100644 (file)
index 0000000..35e2029
--- /dev/null
+++ b/queue-4.4/platform-chrome-cros_ec_dev-fix-security-issue.patch
@@ -0,0 +1,69 @@
+From 5d749d0bbe811c10d9048cde6dfebc761713abfd Mon Sep 17 00:00:00 2001
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Tue, 8 Mar 2016 09:13:52 -0800
+Subject: platform/chrome: cros_ec_dev - Fix security issue
+
+From: Gwendal Grignou <gwendal@chromium.org>
+
+commit 5d749d0bbe811c10d9048cde6dfebc761713abfd upstream.
+
+Prevent memory scribble by checking that ioctl buffer size parameters
+are sane.
+Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and
+.outsize the amount to scribble, we would overflow, allocate a small
+amounts and be able to write outside of the malloc'ed area.
+Adding a hard limit allows argument checking of the ioctl. With the
+current EC, it is expected .insize and .outsize to be at around 512 bytes
+or less.
+
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec_dev.c   |    4 ++++
+ drivers/platform/chrome/cros_ec_proto.c |    4 ++--
+ include/linux/mfd/cros_ec.h             |    6 ++++--
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec_dev.c
++++ b/drivers/platform/chrome/cros_ec_dev.c
+@@ -137,6 +137,10 @@ static long ec_device_ioctl_xcmd(struct
+       if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
+               return -EFAULT;
+ 
++      if ((u_cmd.outsize > EC_MAX_MSG_BYTES) ||
++          (u_cmd.insize > EC_MAX_MSG_BYTES))
++              return -EINVAL;
++
+       s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
+                       GFP_KERNEL);
+       if (!s_cmd)
+--- a/drivers/platform/chrome/cros_ec_proto.c
++++ b/drivers/platform/chrome/cros_ec_proto.c
+@@ -311,8 +311,8 @@ int cros_ec_query_all(struct cros_ec_dev
+                       ec_dev->max_response = EC_PROTO2_MAX_PARAM_SIZE;
+                       ec_dev->max_passthru = 0;
+                       ec_dev->pkt_xfer = NULL;
+-                      ec_dev->din_size = EC_MSG_BYTES;
+-                      ec_dev->dout_size = EC_MSG_BYTES;
++                      ec_dev->din_size = EC_PROTO2_MSG_BYTES;
++                      ec_dev->dout_size = EC_PROTO2_MSG_BYTES;
+               } else {
+                       /*
+                        * It's possible for a test to occur too early when
+--- a/include/linux/mfd/cros_ec.h
++++ b/include/linux/mfd/cros_ec.h
+@@ -50,9 +50,11 @@ enum {
+                                       EC_MSG_TX_TRAILER_BYTES,
+       EC_MSG_RX_PROTO_BYTES   = 3,
+ 
+-      /* Max length of messages */
+-      EC_MSG_BYTES            = EC_PROTO2_MAX_PARAM_SIZE +
++      /* Max length of messages for proto 2*/
++      EC_PROTO2_MSG_BYTES             = EC_PROTO2_MAX_PARAM_SIZE +
+                                       EC_MSG_TX_PROTO_BYTES,
++
++      EC_MAX_MSG_BYTES                = 64 * 1024,
+ };
+ 
+ /*

diff --git a/queue-4.4/series b/queue-4.4/series
index 09a51753b893d3dfb8e673e422095e2e569cc13e..62a2afef81206fe08c0f0fb39b4133c4603f27d9 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -1,3 +1,4 @@
 ext4-handle-error-of-ext4_setup_system_zone-on-remount.patch
 ext4-don-t-allow-overlapping-system-zones.patch
 ext4-check-journal-inode-extents-more-carefully.patch
+platform-chrome-cros_ec_dev-fix-security-issue.patch