[kernel] r22301 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Thu Jan 29 04:03:13 UTC 2015
Author: benh
Date: Thu Jan 29 04:03:13 2015
New Revision: 22301
Log:
splice: Apply generic position and size checks to each write (CVE-2014-7822)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Thu Jan 29 03:53:12 2015 (r22300)
+++ dists/wheezy-security/linux/debian/changelog Thu Jan 29 04:03:13 2015 (r22301)
@@ -1,3 +1,10 @@
+linux (3.2.65-1+deb7u2) UNRELEASED; urgency=medium
+
+ * splice: Apply generic position and size checks to each write
+ (CVE-2014-7822)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Thu, 29 Jan 2015 04:02:31 +0000
+
linux (3.2.65-1+deb7u1) wheezy-security; urgency=medium
* [amd64] Revert NX changes that caused a regresion in 3.2.65
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch Thu Jan 29 04:03:13 2015 (r22301)
@@ -0,0 +1,64 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check(). This was not being done for
+the splice write path. It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c | 8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2468,9 +2468,7 @@ static ssize_t ocfs2_file_splice_write(s
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+
+@@ -2480,6 +2478,12 @@ static ssize_t ocfs2_file_splice_write(s
+ out->f_path.dentry->d_name.len,
+ out->f_path.dentry->d_name.name, len);
+
++ ret = generic_write_checks(out, ppos, &len, 0);
++ if (ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
++
+ if (pipe->inode)
+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1013,13 +1013,17 @@ generic_file_splice_write(struct pipe_in
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+ ssize_t ret;
+
++ ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++ if (ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
++
+ pipe_lock(pipe);
+
+ splice_from_pipe_begin(&sd);
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Thu Jan 29 03:53:12 2015 (r22300)
+++ dists/wheezy-security/linux/debian/patches/series Thu Jan 29 04:03:13 2015 (r22301)
@@ -1153,3 +1153,4 @@
bugfix/x86/x86_64-switch_to-load-tls-descriptors-before-switchi.patch
bugfix/all/keys-close-race-between-key-lookup-and-freeing.patch
bugfix/all/isofs-fix-unchecked-printing-of-er-records.patch
+bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
More information about the Kernel-svn-changes
mailing list