Don't feed anything but regular iovec's to blk_rq_map_user_iov (CVE-2016-9576)
This commit is contained in:
parent
56659f5080
commit
d2f4158d99
|
@ -50,6 +50,7 @@ linux (4.8.12-1) UNRELEASED; urgency=medium
|
||||||
* Add ABI reference for 4.8.0-2
|
* Add ABI reference for 4.8.0-2
|
||||||
* Ignore ABI changes in KVM
|
* Ignore ABI changes in KVM
|
||||||
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
|
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
|
||||||
|
* Don't feed anything but regular iovec's to blk_rq_map_user_iov (CVE-2016-9576)
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* [amd64] Re-enable LEGACY_VSYSCALL_EMULATE instead of LEGACY_VSYSCALL_NONE.
|
* [amd64] Re-enable LEGACY_VSYSCALL_EMULATE instead of LEGACY_VSYSCALL_NONE.
|
||||||
|
|
41
debian/patches/bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
vendored
Normal file
41
debian/patches/bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
vendored
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Date: Tue, 6 Dec 2016 16:18:14 -0800
|
||||||
|
Subject: Don't feed anything but regular iovec's to blk_rq_map_user_iov
|
||||||
|
Origin: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0
|
||||||
|
|
||||||
|
In theory we could map other things, but there's a reason that function
|
||||||
|
is called "user_iov". Using anything else (like splice can do) just
|
||||||
|
confuses it.
|
||||||
|
|
||||||
|
Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
|
||||||
|
Cc: Al Viro <viro@ZenIV.linux.org.uk>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
---
|
||||||
|
block/blk-map.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/block/blk-map.c b/block/blk-map.c
|
||||||
|
index b8657fa..27fd8d92 100644
|
||||||
|
--- a/block/blk-map.c
|
||||||
|
+++ b/block/blk-map.c
|
||||||
|
@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||||
|
struct iov_iter i;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
+ if (!iter_is_iovec(iter))
|
||||||
|
+ goto fail;
|
||||||
|
+
|
||||||
|
if (map_data)
|
||||||
|
copy = true;
|
||||||
|
else if (iov_iter_alignment(iter) & align)
|
||||||
|
@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||||
|
|
||||||
|
unmap_rq:
|
||||||
|
__blk_rq_unmap_user(bio);
|
||||||
|
+fail:
|
||||||
|
rq->bio = NULL;
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.1.4
|
||||||
|
|
|
@ -106,6 +106,7 @@ bugfix/all/tipc-check-minimum-bearer-MTU.patch
|
||||||
bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
|
bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
|
||||||
bugfix/all/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
|
bugfix/all/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
|
||||||
bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch
|
bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch
|
||||||
|
bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
|
||||||
|
|
||||||
# ABI maintenance
|
# ABI maintenance
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue