On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote: > On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx> wrote: > > Hi Greg, > > > > Jiri Slaby has pushed this patch to his 3.12-stable tree. > > > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d > > > > Can you push it to 3.10-stable tree ? > > > > Best regards! > > > > On 2015/3/20 16:59, Zhang Zhen wrote: > >> We need to check the position and size of file writes against various > >> limits, using generic_write_check(). This was not being done for > >> the splice write path. It was fixed upstream by commit 8d0207652cbe > >> ("->splice_write() via ->write_iter()") but we can't apply that. > >> > >> CVE-2014-7822 > >> > >> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> > >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable] > >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx> > >> --- > >> fs/ocfs2/file.c | 8 +++++--- > >> fs/splice.c | 8 ++++++-- > >> 2 files changed, 11 insertions(+), 5 deletions(-) > >> > >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c > >> index 46387e4..e0b1c88 100644 > >> --- a/fs/ocfs2/file.c > >> +++ b/fs/ocfs2/file.c > >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe, > >> struct address_space *mapping = out->f_mapping; > >> struct inode *inode = mapping->host; > >> struct splice_desc sd = { > >> - .total_len = len, > >> .flags = flags, > >> - .pos = *ppos, > >> .u.file = out, > >> }; > >> - > >> + ret = generic_write_checks(out, ppos, &len, 0); > >> + if(ret) > >> + return ret; > >> + sd.total_len = len; > >> + sd.pos = *ppos; > >> > >> trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry, > >> (unsigned long long)OCFS2_I(inode)->ip_blkno, > >> diff --git a/fs/splice.c b/fs/splice.c > >> index 4b5a5fa..f183f13 100644 > >> --- a/fs/splice.c > >> +++ b/fs/splice.c > >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out, > >> struct address_space *mapping = out->f_mapping; > >> struct inode *inode = mapping->host; > >> struct splice_desc sd = { > >> - .total_len = len, > >> .flags = flags, > >> - .pos = *ppos, > >> .u.file = out, > >> }; > >> ssize_t ret; > >> > >> + ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode)); > >> + if (ret) > >> + return ret; > >> + sd.total_len = len; > >> + sd.pos = *ppos; > >> + > >> pipe_lock(pipe); > >> > >> splice_from_pipe_begin(&sd); > >> > > > > > > -- > > To unsubscribe from this list: send the line "unsubscribe stable" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > Hi. > > The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix > is also needed for the 3.14 stable branch. I don't understand, what commit id are you talking about? What patch should be applied to 3.14-stable? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html