On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx> wrote: > Hi Greg, > > Jiri Slaby has pushed this patch to his 3.12-stable tree. > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d > > Can you push it to 3.10-stable tree ? > > Best regards! > > On 2015/3/20 16:59, Zhang Zhen wrote: >> We need to check the position and size of file writes against various >> limits, using generic_write_check(). This was not being done for >> the splice write path. It was fixed upstream by commit 8d0207652cbe >> ("->splice_write() via ->write_iter()") but we can't apply that. >> >> CVE-2014-7822 >> >> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable] >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx> >> --- >> fs/ocfs2/file.c | 8 +++++--- >> fs/splice.c | 8 ++++++-- >> 2 files changed, 11 insertions(+), 5 deletions(-) >> >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c >> index 46387e4..e0b1c88 100644 >> --- a/fs/ocfs2/file.c >> +++ b/fs/ocfs2/file.c >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe, >> struct address_space *mapping = out->f_mapping; >> struct inode *inode = mapping->host; >> struct splice_desc sd = { >> - .total_len = len, >> .flags = flags, >> - .pos = *ppos, >> .u.file = out, >> }; >> - >> + ret = generic_write_checks(out, ppos, &len, 0); >> + if(ret) >> + return ret; >> + sd.total_len = len; >> + sd.pos = *ppos; >> >> trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry, >> (unsigned long long)OCFS2_I(inode)->ip_blkno, >> diff --git a/fs/splice.c b/fs/splice.c >> index 4b5a5fa..f183f13 100644 >> --- a/fs/splice.c >> +++ b/fs/splice.c >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out, >> struct address_space *mapping = out->f_mapping; >> struct inode *inode = mapping->host; >> struct splice_desc sd = { >> - .total_len = len, >> .flags = flags, >> - .pos = *ppos, >> .u.file = out, >> }; >> ssize_t ret; >> >> + ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode)); >> + if (ret) >> + return ret; >> + sd.total_len = len; >> + sd.pos = *ppos; >> + >> pipe_lock(pipe); >> >> splice_from_pipe_begin(&sd); >> > > > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html Hi. The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix is also needed for the 3.14 stable branch. Cheers, Vinson -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html