[linux] 03/03: AIO: properly check iovec sizes

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Feb 29 00:42:39 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 969fbd63517b5b87a9c695cbb081a9469723862a
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Feb 29 00:40:46 2016 +0000

    AIO: properly check iovec sizes
---
 debian/changelog                                   |  1 +
 .../all/aio-properly-check-iovec-sizes.patch       | 41 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 43 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ac63d5b..8395907 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,7 @@ linux (3.16.7-ckt20-1+deb8u4) UNRELEASED; urgency=medium
   * ALSA: timer: Fix race among timer ioctls (CVE-2016-2546)
   * ALSA: timer: Harden slave timer list handling (CVE-2016-2547, CVE-2016-2548)
   * ALSA: hrtimer: Fix stall by hrtimer_cancel() (CVE-2016-2549)
+  * AIO: properly check iovec sizes
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 23 Jan 2016 22:53:58 +0000
 
diff --git a/debian/patches/bugfix/all/aio-properly-check-iovec-sizes.patch b/debian/patches/bugfix/all/aio-properly-check-iovec-sizes.patch
new file mode 100644
index 0000000..04e7d88
--- /dev/null
+++ b/debian/patches/bugfix/all/aio-properly-check-iovec-sizes.patch
@@ -0,0 +1,41 @@
+From: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Date: Fri, 19 Feb 2016 17:36:21 -0800
+Subject: AIO: properly check iovec sizes
+Origin: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit?id=c4f4b82694fe48b02f7a881a1797131a6dad1364
+
+In Linus's tree, the iovec code has been reworked massively, but in
+older kernels the AIO layer should be checking this before passing the
+request on to other layers.
+
+Many thanks to Ben Hawkes of Google Project Zero for pointing out the
+issue.
+
+Reported-by: Ben Hawkes <hawkes at google.com>
+Acked-by: Benjamin LaHaise <bcrl at kvack.org>
+Tested-by: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ fs/aio.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1378,11 +1378,16 @@ static ssize_t aio_setup_single_vector(s
+ 				       unsigned long *nr_segs,
+ 				       struct iovec *iovec)
+ {
+-	if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes)))
++	size_t len = kiocb->ki_nbytes;
++
++	if (len > MAX_RW_COUNT)
++		len = MAX_RW_COUNT;
++
++	if (unlikely(!access_ok(!rw, buf, len)))
+ 		return -EFAULT;
+ 
+ 	iovec->iov_base = buf;
+-	iovec->iov_len = kiocb->ki_nbytes;
++	iovec->iov_len = len;
+ 	*nr_segs = 1;
+ 	return 0;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 89de587..3e8728d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -694,3 +694,4 @@ bugfix/all/alsa-timer-fix-double-unlink-of-active_list.patch
 bugfix/all/alsa-timer-fix-race-among-timer-ioctls.patch
 bugfix/all/alsa-timer-harden-slave-timer-list-handling.patch
 bugfix/all/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch
+bugfix/all/aio-properly-check-iovec-sizes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list