On Thu, Jun 25, 2015 at 09:22:01PM -0700, Greg KH wrote: > On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote: > > On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx> wrote: > > > Hi Greg, > > > > > > Jiri Slaby has pushed this patch to his 3.12-stable tree. > > > > > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d > > > > > > Can you push it to 3.10-stable tree ??? > > > > > > Best regards??? > > > > > > On 2015/3/20 16:59, Zhang Zhen wrote: > > >> We need to check the position and size of file writes against various > > >> limits, using generic_write_check(). This was not being done for > > >> the splice write path. It was fixed upstream by commit 8d0207652cbe > > >> ("->splice_write() via ->write_iter()") but we can't apply that. > > >> > > >> CVE-2014-7822 > > >> > > >> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> > > >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable] > > >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx> > > >> --- > > >> fs/ocfs2/file.c | 8 +++++--- > > >> fs/splice.c | 8 ++++++-- > > >> 2 files changed, 11 insertions(+), 5 deletions(-) > > >> > > >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c > > >> index 46387e4..e0b1c88 100644 > > >> --- a/fs/ocfs2/file.c > > >> +++ b/fs/ocfs2/file.c > > >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe, > > >> struct address_space *mapping = out->f_mapping; > > >> struct inode *inode = mapping->host; > > >> struct splice_desc sd = { > > >> - .total_len = len, > > >> .flags = flags, > > >> - .pos = *ppos, > > >> .u.file = out, > > >> }; > > >> - > > >> + ret = generic_write_checks(out, ppos, &len, 0); > > >> + if(ret) > > >> + return ret; > > >> + sd.total_len = len; > > >> + sd.pos = *ppos; > > >> > > >> trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry, > > >> (unsigned long long)OCFS2_I(inode)->ip_blkno, > > >> diff --git a/fs/splice.c b/fs/splice.c > > >> index 4b5a5fa..f183f13 100644 > > >> --- a/fs/splice.c > > >> +++ b/fs/splice.c > > >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out, > > >> struct address_space *mapping = out->f_mapping; > > >> struct inode *inode = mapping->host; > > >> struct splice_desc sd = { > > >> - .total_len = len, > > >> .flags = flags, > > >> - .pos = *ppos, > > >> .u.file = out, > > >> }; > > >> ssize_t ret; > > >> > > >> + ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode)); > > >> + if (ret) > > >> + return ret; > > >> + sd.total_len = len; > > >> + sd.pos = *ppos; > > >> + > > >> pipe_lock(pipe); > > >> > > >> splice_from_pipe_begin(&sd); > > >> > > > > > > > > > -- > > > To unsubscribe from this list: send the line "unsubscribe stable" in > > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > Hi. > > > > The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix > > is also needed for the 3.14 stable branch. > > I don't understand, what commit id are you talking about? What patch > should be applied to 3.14-stable? I think it's this one (from 3.10) which doesn't have an equivalent in 3.14 : commit 13d32f27d15c5c53254ed88e3d2042c34de1bfaa Author: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Date: Thu Jan 29 02:50:33 2015 +0000 splice: Apply generic position and size checks to each write commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch. We need to check the position and size of file writes against various limits, using generic_write_check(). This was not being done for the splice write path. It was fixed upstream by commit 8d0207652cbe ("->splice_write() via ->write_iter()") but we can't apply that. CVE-2014-7822 Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable] Signed-off-by: Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Willy -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html