linux-cavium: CVE-2017-7487

call ipxitf_put() in ioctl error path References: https://nvd.nist.gov/vuln/detail/CVE-2017-7487 Upstream patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.50&id=820adccd0e3be9bdd2384ca8fc4712108cfdf28b Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-22 11:17:32 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-09-22 14:14:03 +0200
commit: 00c79cf926477f504e42be8b1c8ec074e671b955 (patch)
tree: 4590d3d23d7c1b5704810c2b4505f55b025dd33a
parent: ae3f51df465f5450db9ef2f63793d39cf0501a75 (diff)
download: meta-enea-bsp-arm-00c79cf926477f504e42be8b1c8ec074e671b955.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-7487.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-7487.patch
new file mode 100644
index 0000000..41849fe
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-7487.patch
@@ -0,0 +1,39 @@
+From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 2 May 2017 13:58:53 +0300
+Subject: [PATCH] ipx: call ipxitf_put() in ioctl error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+We should call ipxitf_put() if the copy_to_user() fails.
+CVE: CVE-2017-7487
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.50&id=820adccd0e3be9bdd2384ca8fc4712108cfdf28b]
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipx/af_ipx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
+index 8a9219ff2e77e..fa31ef29e3fa0 100644
+--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
+@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
+                sipx->sipx_network      = ipxif->if_netnum;
+                memcpy(sipx->sipx_node, ipxif->if_node,
+                        sizeof(sipx->sipx_node));
+-               rc = -EFAULT;
+               rc = 0;
+                if (copy_to_user(arg, &ifr, sizeof(ifr)))
+-                       break;
+                       rc = -EFAULT;
+                ipxitf_put(ipxif);
+-               rc = 0;
+                break;
+        }
+        case SIOCAIPXITFCRT:
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index feb37da..3a4eeb5 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -15,6 +15,7 @@ KENEABRANCH = "cavium-4.9"
 SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \
           git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \
           file://dts \
+           file://CVE-2017-7487.patch \
           "
 LINUX_KERNEL_TYPE = "tiny"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-22 11:17:32 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-09-22 14:14:03 +0200
commit	00c79cf926477f504e42be8b1c8ec074e671b955 (patch)
tree	4590d3d23d7c1b5704810c2b4505f55b025dd33a
parent	ae3f51df465f5450db9ef2f63793d39cf0501a75 (diff)
download	meta-enea-bsp-arm-00c79cf926477f504e42be8b1c8ec074e671b955.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-7487.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-7487.patch new file mode 100644 index 0000000..41849fe --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-7487.patch
@@ -0,0 +1,39 @@
		1	From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001
		2	From: Dan Carpenter <dan.carpenter@oracle.com>
		3	Date: Tue, 2 May 2017 13:58:53 +0300
		4	Subject: [PATCH] ipx: call ipxitf_put() in ioctl error path
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	We should call ipxitf_put() if the copy_to_user() fails.
		10
		11	CVE: CVE-2017-7487
		12	Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.50&id=820adccd0e3be9bdd2384ca8fc4712108cfdf28b]
		13
		14	Reported-by: 李强 <liqiang6-s@360.cn>
		15	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
		16	Signed-off-by: David S. Miller <davem@davemloft.net>
		17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		18	---
		19	net/ipx/af_ipx.c \| 5 ++---
		20	1 file changed, 2 insertions(+), 3 deletions(-)
		21
		22	diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
		23	index 8a9219ff2e77e..fa31ef29e3fa0 100644
		24	--- a/net/ipx/af_ipx.c
		25	+++ b/net/ipx/af_ipx.c
		26	@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
		27	sipx->sipx_network = ipxif->if_netnum;
		28	memcpy(sipx->sipx_node, ipxif->if_node,
		29	sizeof(sipx->sipx_node));
		30	- rc = -EFAULT;
		31	+ rc = 0;
		32	if (copy_to_user(arg, &ifr, sizeof(ifr)))
		33	- break;
		34	+ rc = -EFAULT;
		35	ipxitf_put(ipxif);
		36	- rc = 0;
		37	break;
		38	}
		39	case SIOCAIPXITFCRT:


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index feb37da..3a4eeb5 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -15,6 +15,7 @@ KENEABRANCH = "cavium-4.9"
15	SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \	15	SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machine;branch=${KBRANCH} \
16	git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \	16	git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-cache \
17	file://dts \	17	file://dts \
		18	file://CVE-2017-7487.patch \
18	"	19	"
19		20
20	LINUX_KERNEL_TYPE = "tiny"	21	LINUX_KERNEL_TYPE = "tiny"