DivestOS/Patches/Linux_CVEs/CVE-2016-3775/3.4/2.patch

From 6ad77af2e7791e8afd85feef1567aaaab9a748dc Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@google.com>
Date: Thu, 25 Feb 2016 12:15:48 -0800
Subject: [PATCH] AIO: properly check iovec sizes

commit ff19ac8fb71e8a2bf07d61b959062998139c1104 upstream

In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.

Bug: 28588279

Backported from 3.10 : Cyanogen
Conflicts:
        fs/aio.c

Reported-by: Ben Hawkes <hawkes@google.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Willy Tarreau <w@1wt.eu>
[backported to 3.10 - willy]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Change-Id: Id11bb629bd6afaf09b9db5a944e2d060972bc0f1
---

diff --git a/fs/aio.c b/fs/aio.c
index 67a6db3..70a611f 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1469,9 +1469,17 @@
 
 static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
 {
+	size_t len = kiocb->ki_nbytes;
+
+	if (len > MAX_RW_COUNT)
+		len = MAX_RW_COUNT;
+
+	if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
+                return -EFAULT;
+
 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
-	kiocb->ki_iovec->iov_len = kiocb->ki_left;
+	kiocb->ki_iovec->iov_len = len;
 	kiocb->ki_nr_segs = 1;
 	kiocb->ki_cur_seg = 0;
 	return 0;