Overhaul CVE patches

Patches/Linux_CVEs-New/CVE-2012-6703/ANY/1.patch

@@ -0,0 +1,31 @@
+From 81ce573830e9d5531531b3ec778c58e6b9167bcd Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 5 Sep 2012 15:32:18 +0300
+Subject: [PATCH] ALSA: compress_core: integer overflow in
+ snd_compr_allocate_buffer()
+
+These are 32 bit values that come from the user, we need to check for
+integer overflows or we could end up allocating a smaller buffer than
+expected.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/compress_offload.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index eb60cb8dbb8a6..68fe02c7400a2 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
+ 	unsigned int buffer_size;
+ 	void *buffer;
+ 
++	if (params->buffer.fragment_size == 0 ||
++	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
++		return -EINVAL;
++
+ 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
+ 	if (stream->ops->copy) {
+ 		buffer = NULL;

Patches/Linux_CVEs-New/CVE-2012-6703/ANY/2.patch

@@ -0,0 +1,66 @@
+From 4dc040a0b34890d2adc0d63da6e9bfb4eb791b19 Mon Sep 17 00:00:00 2001
+From: Vinod Koul <vinod.koul@linux.intel.com>
+Date: Mon, 17 Sep 2012 11:51:25 +0530
+Subject: [PATCH] ALSA: compress - move the buffer check
+
+Commit ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
+added a new error check for input params.
+this add new routine for input checks and moves buffer overflow check to this
+new routine. This allows the error value to be propogated to user space
+
+Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/compress_offload.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index 68fe02c7400a2..bd7f28e892540 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -407,10 +407,6 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
+ 	unsigned int buffer_size;
+ 	void *buffer;
+ 
+-	if (params->buffer.fragment_size == 0 ||
+-	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+-		return -EINVAL;
+-
+ 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
+ 	if (stream->ops->copy) {
+ 		buffer = NULL;
+@@ -429,6 +425,16 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
+ 	return 0;
+ }
+ 
++static int snd_compress_check_input(struct snd_compr_params *params)
++{
++	/* first let's check the buffer parameter's */
++	if (params->buffer.fragment_size == 0 ||
++			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
++		return -EINVAL;
++
++	return 0;
++}
++
+ static int
+ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
+ {
+@@ -447,11 +453,17 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
+ 			retval = -EFAULT;
+ 			goto out;
+ 		}
++
++		retval = snd_compress_check_input(params);
++		if (retval)
++			goto out;
++
+ 		retval = snd_compr_allocate_buffer(stream, params);
+ 		if (retval) {
+ 			retval = -ENOMEM;
+ 			goto out;
+ 		}
++
+ 		retval = stream->ops->set_params(stream, params);
+ 		if (retval)
+ 			goto out;

Patches/Linux_CVEs-New/CVE-2014-4656/3.2/1.patch

@@ -0,0 +1,39 @@
+From f7500568b7633324e7c4282bb8baa3ff3f17fd7a Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 18 Jun 2014 13:32:35 +0200
+Subject: ALSA: control: Make sure that id->index does not overflow
+
+commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
+
+The ALSA control code expects that the range of assigned indices to a control is
+continuous and does not overflow. Currently there are no checks to enforce this.
+If a control with a overflowing index range is created that control becomes
+effectively inaccessible and unremovable since snd_ctl_find_id() will not be
+able to find it. This patch adds a check that makes sure that controls with a
+overflowing index range can not be created.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/control.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index d3f17de..9210594 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -341,6 +341,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
+ 	if (snd_BUG_ON(!card || !kcontrol->info))
+ 		goto error;
+ 	id = kcontrol->id;
++	if (id.index > UINT_MAX - kcontrol->count)
++		goto error;
++
+ 	down_write(&card->controls_rwsem);
+ 	if (snd_ctl_find_id(card, &id)) {
+ 		up_write(&card->controls_rwsem);
+-- 
+cgit v1.1
+

Patches/Linux_CVEs-New/CVE-2014-9420/ANY/0.patch

@@ -0,0 +1,52 @@
+From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 15 Dec 2014 14:22:46 +0100
+Subject: [PATCH] isofs: Fix infinite looping over CE entries
+
+Rock Ridge extensions define so called Continuation Entries (CE) which
+define where is further space with Rock Ridge data. Corrupted isofs
+image can contain arbitrarily long chain of these, including a one
+containing loop and thus causing kernel to end in an infinite loop when
+traversing these entries.
+
+Limit the traversal to 32 entries which should be more than enough space
+to store all the Rock Ridge data.
+
+Reported-by: P J P <ppandit@redhat.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+---
+ fs/isofs/rock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index f488bbae541ac..bb63254ed8486 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+ 	int cont_size;
+ 	int cont_extent;
+ 	int cont_offset;
++	int cont_loops;
+ 	struct inode *inode;
+ };
+ 
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+ 	rs->inode = inode;
+ }
+ 
++/* Maximum number of Rock Ridge continuation entries */
++#define RR_MAX_CE_ENTRIES 32
++
+ /*
+  * Returns 0 if the caller should continue scanning, 1 if the scan must end
+  * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+ 			goto out;
+ 		}
+ 		ret = -EIO;
++		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
++			goto out;
+ 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+ 		if (bh) {
+ 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,

Patches/Linux_CVEs-New/CVE-2014-9683/3.2/1.patch

@@ -0,0 +1,37 @@
+From f2d130454e46c3989af1b4f882b6a666d24fa2e0 Mon Sep 17 00:00:00 2001
+From: Michael Halcrow <mhalcrow@google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
+ routine
+
+commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
+
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+
+Signed-off-by: Michael Halcrow <mhalcrow@google.com>
+Reported-by: Dmitry Chernenkov <dmitryc@google.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 68b19ab..dceedec 100644
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
+ 			break;
+ 		case 2:
+ 			dst[dst_byte_offset++] |= (src_byte);
+-			dst[dst_byte_offset] = 0;
+ 			current_bit_offset = 0;
+ 			break;
+ 		}
+-- 
+cgit v1.1
+

Patches/Linux_CVEs-New/CVE-2014-9715/3.2/1.patch

@@ -0,0 +1,56 @@
+From 33eedfe8ecbaabcdc38be63901cb2b79e3190fda Mon Sep 17 00:00:00 2001
+From: Andrey Vagin <avagin@openvz.org>
+Date: Fri, 28 Mar 2014 13:54:32 +0400
+Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
+
+commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.
+
+"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
+case it can contain all extensions. Bellow you can find sizes for all
+types of extensions. Their sum is definitely bigger than 256.
+
+nf_ct_ext_types[0]->len = 24
+nf_ct_ext_types[1]->len = 32
+nf_ct_ext_types[2]->len = 24
+nf_ct_ext_types[3]->len = 32
+nf_ct_ext_types[4]->len = 152
+nf_ct_ext_types[5]->len = 2
+nf_ct_ext_types[6]->len = 16
+nf_ct_ext_types[7]->len = 8
+
+I have seen "len" up to 280 and my host has crashes w/o this patch.
+
+The right way to fix this problem is reducing the size of the ecache
+extension (4) and Florian is going to do this, but these changes will
+be quite large to be appropriate for a stable tree.
+
+Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrey Vagin <avagin@openvz.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/net/netfilter/nf_conntrack_extend.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
+index 2dcf317..d918074 100644
+--- a/include/net/netfilter/nf_conntrack_extend.h
++++ b/include/net/netfilter/nf_conntrack_extend.h
+@@ -33,8 +33,8 @@ enum nf_ct_ext_id {
+ /* Extensions: optional stuff which isn't permanently in struct. */
+ struct nf_ct_ext {
+ 	struct rcu_head rcu;
+-	u8 offset[NF_CT_EXT_NUM];
+-	u8 len;
++	u16 offset[NF_CT_EXT_NUM];
++	u16 len;
+ 	char data[0];
+ };
+ 
+-- 
+cgit v1.1
+

Patches/Linux_CVEs-New/CVE-2014-9778/ANY/0.patch

@@ -0,0 +1,48 @@
+From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001
+From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
+Date: Fri, 1 Nov 2013 21:06:37 +0530
+Subject: msm: vidc: Validate userspace buffer count
+
+Makesure the number of buffers count is less than
+the maximum limit to avoid structure overflow errors.
+
+Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
+CRs-fixed: 563694
+Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
+---
+ drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
+ include/media/msm/vidc_init.h            | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
+index a843889..b45100f 100644
+--- a/drivers/video/msm/vidc/common/dec/vdec.c
++++ b/drivers/video/msm/vidc/common/dec/vdec.c
+@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx,
+ 	vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
+ 	vcd_h264_mv_buffer->offset = mv_data->offset;
+ 
++	if (mv_data->count > MAX_MV_BUFFERS) {
++		ERR("MV buffers maximum count reached, count = %d",
++			mv_data->count);
++		return false;
++	}
++
+ 	if (!vcd_get_ion_status()) {
+ 		if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd,
+ 			(unsigned long *) (&(vcd_h264_mv_buffer->
+diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
+index c35f770..5df0c3e 100644
+--- a/include/media/msm/vidc_init.h
++++ b/include/media/msm/vidc_init.h
+@@ -20,6 +20,7 @@
+ #define VIDC_MAX_NUM_CLIENTS 4
+ #define MAX_VIDEO_NUM_OF_BUFF 100
+ #define MAX_META_BUFFERS 32
++#define MAX_MV_BUFFERS 32
+ 
+ enum buffer_dir {
+ 	BUFFER_TYPE_INPUT,
+-- 
+cgit v1.1
+