Don't feed anything but regular iovec's to blk_rq_map_user_iov (CVE-2016-9576)
This commit is contained in:
parent
56659f5080
commit
d2f4158d99
|
@ -50,6 +50,7 @@ linux (4.8.12-1) UNRELEASED; urgency=medium
|
|||
* Add ABI reference for 4.8.0-2
|
||||
* Ignore ABI changes in KVM
|
||||
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
|
||||
* Don't feed anything but regular iovec's to blk_rq_map_user_iov (CVE-2016-9576)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [amd64] Re-enable LEGACY_VSYSCALL_EMULATE instead of LEGACY_VSYSCALL_NONE.
|
||||
|
|
41
debian/patches/bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
vendored
Normal file
41
debian/patches/bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
vendored
Normal file
|
@ -0,0 +1,41 @@
|
|||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Tue, 6 Dec 2016 16:18:14 -0800
|
||||
Subject: Don't feed anything but regular iovec's to blk_rq_map_user_iov
|
||||
Origin: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0
|
||||
|
||||
In theory we could map other things, but there's a reason that function
|
||||
is called "user_iov". Using anything else (like splice can do) just
|
||||
confuses it.
|
||||
|
||||
Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
|
||||
Cc: Al Viro <viro@ZenIV.linux.org.uk>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
block/blk-map.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/block/blk-map.c b/block/blk-map.c
|
||||
index b8657fa..27fd8d92 100644
|
||||
--- a/block/blk-map.c
|
||||
+++ b/block/blk-map.c
|
||||
@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
struct iov_iter i;
|
||||
int ret;
|
||||
|
||||
+ if (!iter_is_iovec(iter))
|
||||
+ goto fail;
|
||||
+
|
||||
if (map_data)
|
||||
copy = true;
|
||||
else if (iov_iter_alignment(iter) & align)
|
||||
@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
|
||||
unmap_rq:
|
||||
__blk_rq_unmap_user(bio);
|
||||
+fail:
|
||||
rq->bio = NULL;
|
||||
return -EINVAL;
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -106,6 +106,7 @@ bugfix/all/tipc-check-minimum-bearer-MTU.patch
|
|||
bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
|
||||
bugfix/all/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
|
||||
bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch
|
||||
bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
||||
|
|
Loading…
Reference in New Issue