diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:30:35 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:30:35 +0200 |
commit | 8675d0d71e339e0933de5aa1b354b74d8ce59d97 (patch) | |
tree | bf66a897829b99c07f3ee7dce9225af082381063 | |
parent | 6a68947178d47c7e473a0a4a25d73be51a252803 (diff) | |
download | enea-kernel-cache-8675d0d71e339e0933de5aa1b354b74d8ce59d97.tar.gz |
ARM: CVE-2018-9415
ARM: amba: Fix race condition with driver_override
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=272c99cf85a371401b78f3c56a18745bf07817a3
Change-Id: I0c3cb9be270970fc21a11773c3710cfc61079d69
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch | 79 |
2 files changed, 82 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 788052b..491ffe4 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -6,3 +6,6 @@ SRC_URI += "file://CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets | |||
6 | 6 | ||
7 | #CVEs fixed in 4.9.96: | 7 | #CVEs fixed in 4.9.96: |
8 | SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch" | 8 | SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch" |
9 | |||
10 | #CVEs fixed in 4.9.98: | ||
11 | SRC_URI += "file://CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch" | ||
diff --git a/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch new file mode 100644 index 0000000..b488bae --- /dev/null +++ b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 1869844a1fe2365f5f56513e610b912f0744722a Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Thu, 25 Oct 2018 14:57:58 +0200 | ||
4 | Subject: [PATCH] ARM: amba: Fix race condition with driver_override | ||
5 | |||
6 | commit 6a7228d90d42bcacfe38786756ba62762b91c20a upstream. | ||
7 | |||
8 | The driver_override implementation is susceptible to a race condition | ||
9 | when different threads are reading vs storing a different driver | ||
10 | override. Add locking to avoid this race condition. | ||
11 | |||
12 | Cfr. commits 6265539776a0810b ("driver core: platform: fix race | ||
13 | condition with driver_override") and 9561475db680f714 ("PCI: Fix race | ||
14 | condition with driver_override"). | ||
15 | |||
16 | Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'") | ||
17 | |||
18 | CVE: CVE-2018-9415 | ||
19 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=272c99cf85a371401b78f3c56a18745bf07817a3] | ||
20 | |||
21 | Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> | ||
22 | Reviewed-by: Todd Kjos <tkjos@google.com> | ||
23 | Cc: stable <stable@vger.kernel.org> | ||
24 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
26 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
27 | |||
28 | --- | ||
29 | drivers/amba/bus.c | 11 +++++++++-- | ||
30 | 1 file changed, 9 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c | ||
33 | index a56fa2a1e9aa..6234a0fda40e 100644 | ||
34 | --- a/drivers/amba/bus.c | ||
35 | +++ b/drivers/amba/bus.c | ||
36 | @@ -69,11 +69,15 @@ static ssize_t driver_override_show(struct device *_dev, | ||
37 | struct device_attribute *attr, char *buf) | ||
38 | { | ||
39 | struct amba_device *dev = to_amba_device(_dev); | ||
40 | + ssize_t len; | ||
41 | |||
42 | if (!dev->driver_override) | ||
43 | return 0; | ||
44 | |||
45 | - return sprintf(buf, "%s\n", dev->driver_override); | ||
46 | + device_lock(_dev); | ||
47 | + len = sprintf(buf, "%s\n", dev->driver_override); | ||
48 | + device_unlock(_dev); | ||
49 | + return len; | ||
50 | } | ||
51 | |||
52 | static ssize_t driver_override_store(struct device *_dev, | ||
53 | @@ -81,7 +85,7 @@ static ssize_t driver_override_store(struct device *_dev, | ||
54 | const char *buf, size_t count) | ||
55 | { | ||
56 | struct amba_device *dev = to_amba_device(_dev); | ||
57 | - char *driver_override, *old = dev->driver_override, *cp; | ||
58 | + char *driver_override, *old, *cp; | ||
59 | |||
60 | if (count > PATH_MAX) | ||
61 | return -EINVAL; | ||
62 | @@ -94,12 +98,15 @@ static ssize_t driver_override_store(struct device *_dev, | ||
63 | if (cp) | ||
64 | *cp = '\0'; | ||
65 | |||
66 | + device_lock(_dev); | ||
67 | + old = dev->driver_override; | ||
68 | if (strlen(driver_override)) { | ||
69 | dev->driver_override = driver_override; | ||
70 | } else { | ||
71 | kfree(driver_override); | ||
72 | dev->driver_override = NULL; | ||
73 | } | ||
74 | + device_unlock(_dev); | ||
75 | |||
76 | kfree(old); | ||
77 | |||
78 | |||
79 | |||