2 files changed, 42 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
new file mode 100644
index 000000000..0cd9c958a
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
@@ -0,0 +1,41 @@
+From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
+From: Michael Halcrow <mhalcrow@google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
+ decode routine
+commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+Fixes CVE-2014-9683
+Upstream-Status: Backport
+Signed-off-by: Michael Halcrow <mhalcrow@google.com>
+Reported-by: Dmitry Chernenkov <dmitryc@google.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 000eae2..bf926f7 100644
+--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
+@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
+                        break;
+                case 2:
+                        dst[dst_byte_offset++] |= (src_byte);
+-                       dst[dst_byte_offset] = 0;
+                        current_bit_offset = 0;
+                        break;
+                }
+-- 
+1.9.1
diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
index f082b0466..1e9e4761e 100644
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://fs-CVE-2014-4014.patch \
    file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
    file://security-keys-CVE-2014-9529.patch \
+    file://eCryptfs-CVE-2014-9683.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch new file mode 100644 index 000000000..0cd9c958a --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
@@ -0,0 +1,41 @@
		1	From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
		2	From: Michael Halcrow <mhalcrow@google.com>
		3	Date: Wed, 26 Nov 2014 09:09:16 -0800
		4	Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
		5	decode routine
		6
		7	commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
		8
		9	Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
		10	end of the allocated buffer during encrypted filename decoding. This
		11	fix corrects the issue by getting rid of the unnecessary 0 write when
		12	the current bit offset is 2.
		13
		14	Fixes CVE-2014-9683
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Michael Halcrow <mhalcrow@google.com>
		18	Reported-by: Dmitry Chernenkov <dmitryc@google.com>
		19	Suggested-by: Kees Cook <keescook@chromium.org>
		20	Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
		21	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	fs/ecryptfs/crypto.c \| 1 -
		25	1 file changed, 1 deletion(-)
		26
		27	diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
		28	index 000eae2..bf926f7 100644
		29	--- a/fs/ecryptfs/crypto.c
		30	+++ b/fs/ecryptfs/crypto.c
		31	@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char dst, size_t dst_size,
		32	break;
		33	case 2:
		34	dst[dst_byte_offset++] \|= (src_byte);
		35	- dst[dst_byte_offset] = 0;
		36	current_bit_offset = 0;
		37	break;
		38	}
		39	--
		40	1.9.1
		41


diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index f082b0466..1e9e4761e 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
37	file://fs-CVE-2014-4014.patch \	37	file://fs-CVE-2014-4014.patch \
38	file://tracing-CVE-2014-7825_CVE-2014-7826.patch \	38	file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
39	file://security-keys-CVE-2014-9529.patch \	39	file://security-keys-CVE-2014-9529.patch \
		40	file://eCryptfs-CVE-2014-9683.patch \
40	"	41	"
41	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	42	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
42		43