[linux] 02/02: [amd64] misc: mic: Fix for double fetch security bug in VOP driver (CVE-2016-5728)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jul 2 09:40:41 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 4344acb49aa466bf026c4a5eeae0b3a2a71a2373
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jul 2 11:39:48 2016 +0200

    [amd64] misc: mic: Fix for double fetch security bug in VOP driver (CVE-2016-5728)
---
 debian/changelog                                   |  2 ++
 ...x-for-double-fetch-security-bug-in-vop-dr.patch | 37 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 40 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1131fcc..755c259 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ linux (3.16.7-ckt25-2+deb8u3) UNRELEASED; urgency=medium
 
   [ Ben Hutchings ]
   * ALSA: compress: fix an integer overflow check (CVE-2014-9904)
+  * [amd64] misc: mic: Fix for double fetch security bug in VOP driver
+    (CVE-2016-5728)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 02 Jul 2016 11:22:39 +0200
 
diff --git a/debian/patches/bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch b/debian/patches/bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
new file mode 100644
index 0000000..f39302f
--- /dev/null
+++ b/debian/patches/bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
@@ -0,0 +1,37 @@
+From: Ashutosh Dixit <ashutosh.dixit at intel.com>
+Date: Wed, 27 Apr 2016 14:36:05 -0700
+Subject: misc: mic: Fix for double fetch security bug in VOP driver
+Origin: https://git.kernel.org/linus/9bf292bfca94694a721449e3fd752493856710f6
+
+The MIC VOP driver does two successive reads from user space to read a
+variable length data structure. Kernel memory corruption can result if
+the data structure changes between the two reads. This patch disallows
+the chance of this happening.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
+Reported by: Pengfei Wang <wpengfeinudt at gmail.com>
+Reviewed-by: Sudeep Dutt <sudeep.dutt at intel.com>
+Signed-off-by: Ashutosh Dixit <ashutosh.dixit at intel.com>
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+[bwh: Backported to 3.16:
+ - Adjust filename, context
+ - goto exit on failure]
+---
+ drivers/misc/mic/host/mic_virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/misc/mic/host/mic_virtio.c
++++ b/drivers/misc/mic/host/mic_virtio.c
+@@ -456,6 +456,11 @@ static int mic_copy_dp_entry(struct mic_
+ 			__func__, __LINE__, ret);
+ 		goto exit;
+ 	}
++	/* Ensure desc has not changed between the two reads */
++	if (memcmp(&dd, dd_config, sizeof(dd))) {
++		ret = -EINVAL;
++		goto exit;
++	}
+ 
+ 	vqconfig = mic_vq_config(dd_config);
+ 	for (i = 0; i < dd.num_vq; i++) {
diff --git a/debian/patches/series b/debian/patches/series
index 5e09c3d..feccbbf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -725,3 +725,4 @@ debian/migrate-fix-abi-change-in-3.16.36.patch
 bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
 bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
 bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
+bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list