diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-28 10:01:17 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-28 10:01:17 -0400 |
commit | f9af625861b135fce7a9e4b06cac7f132d66677c (patch) | |
tree | ec830800bb537901ac83629d11e4489ec338a022 | |
parent | b88c442b2e21cb155aab2adeed6fb9be4d50b893 (diff) | |
download | kernel-f9af625861b135fce7a9e4b06cac7f132d66677c.tar.gz kernel-f9af625861b135fce7a9e4b06cac7f132d66677c.tar.xz kernel-f9af625861b135fce7a9e4b06cac7f132d66677c.zip |
CVE-2016-5728 race condition in mic driver (rhbz 1350811 1350812)
-rw-r--r-- | kernel.spec | 6 | ||||
-rw-r--r-- | misc-mic-Fix-for-double-fetch-security-bug-in-mic_co.patch | 45 |
2 files changed, 51 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 6195340c2..89686d6c6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -676,6 +676,9 @@ Patch729: CVE-2016-4998.patch #CVE-2016-5829 rhbz 1350509 1350513 Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch +#CVE-2016-5728 rhbz 1350811 1350812 +Patch827: misc-mic-Fix-for-double-fetch-security-bug-in-mic_co.patch + # END OF PATCH DEFINITIONS %endif @@ -2193,6 +2196,9 @@ fi # # %changelog +* Tue Jun 28 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-5728 race condition in mic driver (rhbz 1350811 1350812) + * Mon Jun 27 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.7-201 - CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513) diff --git a/misc-mic-Fix-for-double-fetch-security-bug-in-mic_co.patch b/misc-mic-Fix-for-double-fetch-security-bug-in-mic_co.patch new file mode 100644 index 000000000..a88dcf108 --- /dev/null +++ b/misc-mic-Fix-for-double-fetch-security-bug-in-mic_co.patch @@ -0,0 +1,45 @@ +From d0ddcea59aa9406e9fac5ca1809a77f60a4bc9d9 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 28 Jun 2016 09:54:56 -0400 +Subject: [PATCH] misc: mic: Fix for double fetch security bug in + mic_copy_dp_entry + +commit 9bf292bfca94694a721449e3fd752493856710f6 upstream + +The MIC driver does two successive reads from user space to read a +variable length data structure. Kernel memory corruption can result if +the data structure changes between the two reads. This patch disallows +the chance of this happening. + +[Backported to linux-4.5.y by Josh Boyer] + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651 +Reported by: Pengfei Wang <wpengfeinudt@gmail.com> +Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com> +Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/misc/mic/host/mic_virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/misc/mic/host/mic_virtio.c b/drivers/misc/mic/host/mic_virtio.c +index 58b107a24a8b..7a64f5a619d6 100644 +--- a/drivers/misc/mic/host/mic_virtio.c ++++ b/drivers/misc/mic/host/mic_virtio.c +@@ -555,6 +555,11 @@ static int mic_copy_dp_entry(struct mic_vdev *mvdev, + __func__, __LINE__, ret); + goto exit; + } ++ /* Ensure desc has not changed between the two reads */ ++ if (memcmp(&dd, dd_config, sizeof(dd))) { ++ ret = -EINVAL; ++ goto exit; ++ } + + vqconfig = mic_vq_config(dd_config); + for (i = 0; i < dd.num_vq; i++) { +-- +2.5.5 + |