Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2016-12-09 09:19:31 +0100
committerTakashi Iwai <tiwai@suse.de>2016-12-09 10:49:02 +0100
commitfc1fe0e3bad405be09494c5df2e17c0ab38eaf66 (patch)
tree4a8d99413e2a79d239901d37f64239703d71bd6a
parent076f6b44ee45b8bdde4ee962636a74e9dd7002bc (diff)
Don't feed anything but regular iovec's to blk_rq_map_user_iovrpm-4.4.21-90-dirty
(CVE-2016-9576 bsc#1013604).
-rw-r--r--patches.fixes/don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch31
-rw-r--r--series.conf1
2 files changed, 32 insertions, 0 deletions
diff --git a/patches.fixes/don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch b/patches.fixes/don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch
new file mode 100644
index 0000000000..218f14fab1
--- /dev/null
+++ b/patches.fixes/don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch
@@ -0,0 +1,31 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 6 Dec 2016 16:18:14 -0800
+Subject: Don't feed anything but regular iovec's to blk_rq_map_user_iov
+Git-commit: a0ac402cfcdc904f9772e1762b3fda112dcc56a0
+Patch-mainline: v4.10 or v4.9-rc9 (next release)
+References: CVE-2016-9576 bsc#1013604
+
+In theory we could map other things, but there's a reason that function
+is called "user_iov". Using anything else (like splice can do) just
+confuses it.
+
+Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ block/blk-map.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -90,6 +90,9 @@ int blk_rq_map_user_iov(struct request_q
+ if (!iter || !iter->count)
+ return -EINVAL;
+
++ if (!iter_is_iovec((struct iov_iter *) iter))
++ return -EINVAL;
++
+ iov_for_each(iov, i, *iter) {
+ unsigned long uaddr = (unsigned long) iov.iov_base;
+
diff --git a/series.conf b/series.conf
index 206e6d5f53..a65a90a5cb 100644
--- a/series.conf
+++ b/series.conf
@@ -5237,6 +5237,7 @@
patches.drivers/0049-blk-mq-clear-q-mq_ops-if-init-fail.patch
patches.drivers/0050-blk-mq-really-fix-plug-list-flushing-for-nomerge-queues.patch
patches.drivers/0051-Missing-bio_put-following-submit_bio_wait.patch
+ patches.fixes/don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch
patches.fixes/block-merge-get-the-1st-and-last-bvec-via-helpers.patch