patch "misc: mic: Fix for double fetch security bug in VOP driver" added to char-misc-next

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* patch "misc: mic: Fix for double fetch security bug in VOP driver" added to char-misc-next
@ 2016-04-27 22:29 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-04-27 22:29 UTC (permalink / raw)
  To: ashutosh.dixit, gregkh, stable, sudeep.dutt, wpengfeinudt


This is a note to let you know that I've just added the patch titled

    misc: mic: Fix for double fetch security bug in VOP driver

to my char-misc git tree which can be found at
    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
in the char-misc-next branch.

The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)

The patch will also be merged in the next major kernel release
during the merge window.

If you have any questions about this process, please let me know.


>From 9bf292bfca94694a721449e3fd752493856710f6 Mon Sep 17 00:00:00 2001
From: Ashutosh Dixit <ashutosh.dixit@intel.com>
Date: Wed, 27 Apr 2016 14:36:05 -0700
Subject: misc: mic: Fix for double fetch security bug in VOP driver

The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com>
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/mic/vop/vop_vringh.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c
index e94c7fb6712a..88e45234d527 100644
--- a/drivers/misc/mic/vop/vop_vringh.c
+++ b/drivers/misc/mic/vop/vop_vringh.c
@@ -945,6 +945,11 @@ static long vop_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
 			ret = -EFAULT;
 			goto free_ret;
 		}
+		/* Ensure desc has not changed between the two reads */
+		if (memcmp(&dd, dd_config, sizeof(dd))) {
+			ret = -EINVAL;
+			goto free_ret;
+		}
 		mutex_lock(&vdev->vdev_mutex);
 		mutex_lock(&vi->vop_mutex);
 		ret = vop_virtio_add_device(vdev, dd_config);
-- 
2.8.0



^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2016-04-27 22:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-27 22:29 patch "misc: mic: Fix for double fetch security bug in VOP driver" added to char-misc-next gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).