diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-07-07 08:09:24 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-07-07 08:10:01 -0400 |
| commit | a1ea56bdad1e65f094012a12301e21321eb4cb08 (patch) | |
| tree | c75fbf1cbd0e1b475741c74b8b843f5bae64c7c5 | |
| parent | 090355101563f8b7fda5582b5407d6ea342a4930 (diff) | |
| download | kernel-a1ea56bdad1e65f094012a12301e21321eb4cb08.tar.gz kernel-a1ea56bdad1e65f094012a12301e21321eb4cb08.tar.xz kernel-a1ea56bdad1e65f094012a12301e21321eb4cb08.zip | |
CVE-2016-6156 race condition in chrome chardev driver (rhbz 1353490 1353491)
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch | 52 |
2 files changed, 58 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 15b3eefa5..17b74cb2d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -658,6 +658,9 @@ Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch Patch830: posix_acl-Add-set_posix_acl.patch Patch831: nfsd-check-permissions-when-setting-ACLs.patch +#CVE-2016-6156 rhbz 1353490 1353491 +Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch + # END OF PATCH DEFINITIONS %endif @@ -2175,6 +2178,9 @@ fi # # %changelog +* Thu Jul 07 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-6156 race condition in chrome chardev driver (rhbz 1353490 1353491) + * Tue Jul 05 2016 Josh Boyer <jwboyer@fedoraproject.org> - Linux v4.6.3 - CVE-2016-6130 s390x race condition in sclp leads to info leak (rhbz 1352558 1352559) diff --git a/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch new file mode 100644 index 000000000..a685ff697 --- /dev/null +++ b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch @@ -0,0 +1,52 @@ +From 096cdc6f52225835ff503f987a0d68ef770bb78e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 21 Jun 2016 16:58:46 +0300 +Subject: [PATCH] platform/chrome: cros_ec_dev - double fetch bug in ioctl + +We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure +that those values have not changed between the two copy_from_user() +calls. Otherwise it could lead to a buffer overflow. + +Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value. +We should use the new smaller value so we don't copy too much data to +the user. + +Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> +Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data') +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Tested-by: Gwendal Grignou <gwendal@chromium.org> +Cc: <stable@vger.kernel.org> # v4.2+ +Signed-off-by: Olof Johansson <olof@lixom.net> +--- + drivers/platform/chrome/cros_ec_dev.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c +index 6d8ee3b15872..8abd80dbcbed 100644 +--- a/drivers/platform/chrome/cros_ec_dev.c ++++ b/drivers/platform/chrome/cros_ec_dev.c +@@ -151,13 +151,19 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) + goto exit; + } + ++ if (u_cmd.outsize != s_cmd->outsize || ++ u_cmd.insize != s_cmd->insize) { ++ ret = -EINVAL; ++ goto exit; ++ } ++ + s_cmd->command += ec->cmd_offset; + ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd); + /* Only copy data to userland if data was received. */ + if (ret < 0) + goto exit; + +- if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize)) ++ if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize)) + ret = -EFAULT; + exit: + kfree(s_cmd); +-- +2.5.5 + |