[kernel] r22300 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at moszumanska.debian.org
Thu Jan 29 03:53:12 UTC 2015 

Author: benh
Date: Thu Jan 29 03:53:12 2015
New Revision: 22300

Log:
splice: Apply generic position and size checks to each write (CVE-2014-7822)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Thu Jan 29 00:59:17 2015	(r22299)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Thu Jan 29 03:53:12 2015	(r22300)
@@ -9,6 +9,8 @@
   * isofs: Fix infinite looping over CE entries (CVE-2014-9420)
   * isofs: Fix unchecked printing of ER records (CVE-2014-9584)
   * [amd64] vdso: Fix the vdso address randomization algorithm (CVE-2014-9585)
+  * splice: Apply generic position and size checks to each write
+    (CVE-2014-7822)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 28 Jan 2015 22:33:05 +0000
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch	Thu Jan 29 03:53:12 2015	(r22300)
@@ -0,0 +1,68 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check().  This was not being done for
+the splice write path.  It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c     | 8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index de059f4..6aede32 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2081,9 +2081,7 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 
+@@ -2092,6 +2090,12 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+ 		   out->f_path.dentry->d_name.len,
+ 		   out->f_path.dentry->d_name.name);
+ 
++	ret = generic_write_checks(out, ppos, &len, 0);
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	if (pipe->inode)
+ 		mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
+ 
+diff --git a/fs/splice.c b/fs/splice.c
+index cdad986..1ef1c00 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -945,13 +945,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 	ssize_t ret;
+ 
++	ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	pipe_lock(pipe);
+ 
+ 	splice_from_pipe_begin(&sd);

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11	Thu Jan 29 00:59:17 2015	(r22299)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11	Thu Jan 29 03:53:12 2015	(r22300)
@@ -5,3 +5,4 @@
 + bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch
 + bugfix/all/isofs-fix-unchecked-printing-of-er-records.patch
 + bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch
++ bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch

More information about the Kernel-svn-changes mailing list