[kernel] r22301 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Thu Jan 29 04:03:13 UTC 2015

Author: benh
Date: Thu Jan 29 04:03:13 2015
New Revision: 22301

Log:
splice: Apply generic position and size checks to each write (CVE-2014-7822)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================

--- dists/wheezy-security/linux/debian/changelog	Thu Jan 29 03:53:12 2015	(r22300)
+++ dists/wheezy-security/linux/debian/changelog	Thu Jan 29 04:03:13 2015	(r22301)
@@ -1,3 +1,10 @@
+linux (3.2.65-1+deb7u2) UNRELEASED; urgency=medium
+
+  * splice: Apply generic position and size checks to each write
+    (CVE-2014-7822)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Thu, 29 Jan 2015 04:02:31 +0000
+
 linux (3.2.65-1+deb7u1) wheezy-security; urgency=medium
 
   * [amd64] Revert NX changes that caused a regresion in 3.2.65

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch	Thu Jan 29 04:03:13 2015	(r22301)
@@ -0,0 +1,64 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check().  This was not being done for
+the splice write path.  It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c     | 8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2468,9 +2468,7 @@ static ssize_t ocfs2_file_splice_write(s
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 
+@@ -2480,6 +2478,12 @@ static ssize_t ocfs2_file_splice_write(s
+ 			out->f_path.dentry->d_name.len,
+ 			out->f_path.dentry->d_name.name, len);
+ 
++	ret = generic_write_checks(out, ppos, &len, 0);
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	if (pipe->inode)
+ 		mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
+ 
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1013,13 +1013,17 @@ generic_file_splice_write(struct pipe_in
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 	ssize_t ret;
+ 
++	ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	pipe_lock(pipe);
+ 
+ 	splice_from_pipe_begin(&sd);

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Thu Jan 29 03:53:12 2015	(r22300)
+++ dists/wheezy-security/linux/debian/patches/series	Thu Jan 29 04:03:13 2015	(r22301)
@@ -1153,3 +1153,4 @@
 bugfix/x86/x86_64-switch_to-load-tls-descriptors-before-switchi.patch
 bugfix/all/keys-close-race-between-key-lookup-and-freeing.patch
 bugfix/all/isofs-fix-unchecked-printing-of-er-records.patch
+bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch

