[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 32ce7ab402ffe7cd93ea273af95d5f3d4791a612

[Michael Tremer <git@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3632 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  32ce7ab402ffe7cd93ea273af95d5f3d4791a612 (commit)
      from  6fe4eb60948f405fda7c06929baffbf3c6be2e85 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 32ce7ab402ffe7cd93ea273af95d5f3d4791a612
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 8 09:59:43 2022 +0000

    linux: Fix for CVE-2022-0847 aka Dirty Pipe
    
    https://dirtypipe.cm4all.com
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/linux                                   |  3 ++
 src/patches/kernel-5.15-CVE-2022-0847.patch | 46 +++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 src/patches/kernel-5.15-CVE-2022-0847.patch

Difference in files:
diff --git a/lfs/linux b/lfs/linux
index fae9715ec..346deb6f8 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -146,6 +146,9 @@ ifeq "$(BUILD_ARCH)" "aarch64"
 endif
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-3.14.79-amba-fix.patch
 
+	# Fix for CVE-2022-0847 aka Dirty Pipe
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/kernel-5.15-CVE-2022-0847.patch
+
 ifeq "$(KCFG)" "-headers"
 	# Install the header files
 	cd $(DIR_APP) && make ARCH=$(HEADERS_ARCH) $(EXTRAMAKE) headers
diff --git a/src/patches/kernel-5.15-CVE-2022-0847.patch b/src/patches/kernel-5.15-CVE-2022-0847.patch
new file mode 100644
index 000000000..5279916c2
--- /dev/null
+++ b/src/patches/kernel-5.15-CVE-2022-0847.patch
@@ -0,0 +1,46 @@
+From 114e9f141822e6977633d322c1b03e89bd209932 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann(a)ionos.com>
+Date: Mon, 21 Feb 2022 11:03:13 +0100
+Subject: [PATCH] lib/iov_iter: initialize "flags" in new pipe_buffer
+
+commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream.
+
+The functions copy_page_to_iter_pipe() and push_pipe() can both
+allocate a new pipe_buffer, but the "flags" member initializer is
+missing.
+
+Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed")
+To: Alexander Viro <viro(a)zeniv.linux.org.uk>
+To: linux-fsdevel(a)vger.kernel.org
+To: linux-kernel(a)vger.kernel.org
+Cc: stable(a)vger.kernel.org
+Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com>
+Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
+---
+ lib/iov_iter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 60b5e6edfbaa..c5b2f0f4b8a8 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -416,6 +416,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
+ 		return 0;
+ 
+ 	buf->ops = &page_cache_pipe_buf_ops;
++	buf->flags = 0;
+ 	get_page(page);
+ 	buf->page = page;
+ 	buf->offset = offset;
+@@ -532,6 +533,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
+ 			break;
+ 
+ 		buf->ops = &default_pipe_buf_ops;
++		buf->flags = 0;
+ 		buf->page = page;
+ 		buf->offset = 0;
+ 		buf->len = min_t(ssize_t, left, PAGE_SIZE);
+-- 
+2.30.2
+


hooks/post-receive
--
IPFire 2.x development tree