2 files changed, 47 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch b/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch
new file mode 100644
index 000000000..0f8b49c19
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch
@@ -0,0 +1,46 @@
+From 186f32e2096c7d9cd9106b8dedd79c596f4c8398 Mon Sep 17 00:00:00 2001
+From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
+Date: Mon, 16 Jun 2014 20:59:52 +0000
+Subject: [PATCH] target: Explicitly clear ramdisk_mcp backend pages
+[Note that a different patch to address the same issue went in during
+v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
+don't strictly apply to fixing the bug]
+This patch changes rd_allocate_sgl_table() to explicitly clear
+ramdisk_mcp backend memory pages by passing __GFP_ZERO into
+alloc_pages().
+This addresses a potential security issue where reading from a
+ramdisk_mcp could return sensitive information, and follows what
+>= v3.15 does to explicitly clear ramdisk_mcp memory at backend
+device initialization time.
+This fixes CVE-2014-4027
+Upstream-Status: Backport
+Reported-by: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
+Cc: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/target/target_core_rd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
+index 131327a..9f6bede 100644
+--- a/drivers/target/target_core_rd.c
+++ b/drivers/target/target_core_rd.c
+@@ -179,7 +179,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev)
+                                                - 1;
+ 
+                for (j = 0; j < sg_per_table; j++) {
+-                       pg = alloc_pages(GFP_KERNEL, 0);
+                       pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
+                        if (!pg) {
+                                pr_err("Unable to allocate scatterlist"
+                                        " pages for struct rd_dev_sg_table\n");
+-- 
+1.9.1
diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
index de1104654..a65c458de 100644
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -29,6 +29,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://sctp-CVE-2014-7841.patch \
    file://0001-ALSA-CVE-2014-4656.patch \
    file://0002-ALSA-CVE-2014-4656.patch \
+    file://target-CVE-2014-4027.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch b/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch new file mode 100644 index 000000000..0f8b49c19 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch
@@ -0,0 +1,46 @@
		1	From 186f32e2096c7d9cd9106b8dedd79c596f4c8398 Mon Sep 17 00:00:00 2001
		2	From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
		3	Date: Mon, 16 Jun 2014 20:59:52 +0000
		4	Subject: [PATCH] target: Explicitly clear ramdisk_mcp backend pages
		5
		6	[Note that a different patch to address the same issue went in during
		7	v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
		8	don't strictly apply to fixing the bug]
		9
		10	This patch changes rd_allocate_sgl_table() to explicitly clear
		11	ramdisk_mcp backend memory pages by passing __GFP_ZERO into
		12	alloc_pages().
		13
		14	This addresses a potential security issue where reading from a
		15	ramdisk_mcp could return sensitive information, and follows what
		16	>= v3.15 does to explicitly clear ramdisk_mcp memory at backend
		17	device initialization time.
		18
		19	This fixes CVE-2014-4027
		20	Upstream-Status: Backport
		21
		22	Reported-by: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
		23	Cc: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
		24	Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
		25	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		27	---
		28	drivers/target/target_core_rd.c \| 2 +-
		29	1 file changed, 1 insertion(+), 1 deletion(-)
		30
		31	diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
		32	index 131327a..9f6bede 100644
		33	--- a/drivers/target/target_core_rd.c
		34	+++ b/drivers/target/target_core_rd.c
		35	@@ -179,7 +179,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev)
		36	- 1;
		37
		38	for (j = 0; j < sg_per_table; j++) {
		39	- pg = alloc_pages(GFP_KERNEL, 0);
		40	+ pg = alloc_pages(GFP_KERNEL \| __GFP_ZERO, 0);
		41	if (!pg) {
		42	pr_err("Unable to allocate scatterlist"
		43	" pages for struct rd_dev_sg_table\n");
		44	--
		45	1.9.1
		46


diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index de1104654..a65c458de 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -29,6 +29,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
29	file://sctp-CVE-2014-7841.patch \	29	file://sctp-CVE-2014-7841.patch \
30	file://0001-ALSA-CVE-2014-4656.patch \	30	file://0001-ALSA-CVE-2014-4656.patch \
31	file://0002-ALSA-CVE-2014-4656.patch \	31	file://0002-ALSA-CVE-2014-4656.patch \
		32	file://target-CVE-2014-4027.patch \
32	"	33	"
33	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	34	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
34		35