[kernel/f21] Validate iovec range in sys_sendto/sys_recvfrom

[Josh Boyer]

commit c2afb20ca9490e308d6b08405647b349532dd247
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Mar 23 15:09:12 2015 -0400

    Validate iovec range in sys_sendto/sys_recvfrom

 kernel.spec                                        |  5 +++
 ...e-the-range-we-feed-to-iov_iter_init-in-s.patch | 37 ++++++++++++++++++++++
 ...de-intel-Guard-against-stack-overflow-in-.patch |  1 -
 3 files changed, 42 insertions(+), 1 deletion(-)
---
diff --git a/kernel.spec b/kernel.spec
index 2cc688a..68aa348 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -654,6 +654,8 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
 Patch30000: kernel-arm64.patch
 Patch30001: aarch64-fix-tlb-issues.patch
 
+Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1418,6 +1420,8 @@ ApplyPatch kernel-arm64.patch -R
 %endif
 %endif
 
+ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2278,6 +2282,7 @@ fi
 #                                    ||     ||
 %changelog
 * Mon Mar 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- Validate iovec range in sys_sendto/sys_recvfrom
 - CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)
 
 * Mon Mar 23 2015 Peter Robinson <pbrobinson at fedoraproject.org>
diff --git a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
new file mode 100644
index 0000000..70c28d7
--- /dev/null
+++ b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
@@ -0,0 +1,37 @@
+From: Al Viro <viro at ZenIV.linux.org.uk>
+Date: Fri, 20 Mar 2015 17:41:43 +0000
+Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
+ sys_sendto/sys_recvfrom
+
+Cc: stable at vger.kernel.org # v3.19
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index 418795caa897..d50e7ca6aeea 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+ 
+ 	if (len > INT_MAX)
+ 		len = INT_MAX;
++	if (unlikely(!access_ok(VERIFY_READ, buff, len)))
++		return -EFAULT;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ 
+ 	if (size > INT_MAX)
+ 		size = INT_MAX;
++	if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
++		return -EFAULT;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+-- 
+2.1.0
+
diff --git a/x86-microcode-intel-Guard-against-stack-overflow-in-.patch b/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
index 2123a46..5f1d232 100644
--- a/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
+++ b/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
@@ -1,4 +1,3 @@
-From 4423997d1e2f479f98b8f0c7ad733607f361ed76 Mon Sep 17 00:00:00 2001
 From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
 Date: Tue, 3 Feb 2015 13:00:22 +0100
 Subject: [PATCH] x86/microcode/intel: Guard against stack overflow in the