linux-cavium: CVE-2017-8064

dvb_usb_core.c interacts incorrectly with the CONFIG_VMAP_STACK option

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>

2 files changed, 66 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch
new file mode 100644
index 0000000..05cf7a4
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch
@@ -0,0 +1,65 @@
+From 1992564156b5dc4ac73418e5b95e1a43f12f3cb1 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 2 Feb 2017 12:36:01 -0200
+Subject: [PATCH] dvb-usb-v2: avoid use-after-free
+
+commit 005145378c9ad7575a01b6ce1ba118fb427f583a upstream.
+
+I ran into a stack frame size warning because of the on-stack copy of
+the USB device structure:
+
+drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect':
+drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+
+Copying a device structure like this is wrong for a number of other reasons
+too aside from the possible stack overflow. One of them is that the
+dev_info() call will print the name of the device later, but AFAICT
+we have only copied a pointer to the name earlier and the actual name
+has been freed by the time it gets printed.
+
+This removes the on-stack copy of the device and instead copies the
+device name using kstrdup(). I'm ignoring the possible failure here
+as both printk() and kfree() are able to deal with NULL pointers.
+
+CVE: CVE-2017-8064
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=1992564156b5dc4ac73418e5b95e1a43f12f3cb1]
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
+index a8e6624..a9bb2dd 100644
+--- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
++++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
+@@ -1013,8 +1013,8 @@ int dvb_usbv2_probe(struct usb_interface *intf,
+ void dvb_usbv2_disconnect(struct usb_interface *intf)
+ {
+        struct dvb_usb_device *d = usb_get_intfdata(intf);
+-       const char *name = d->name;
+-       struct device dev = d->udev->dev;
++       const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL);
++       const char *drvname = d->name;
+ 
+        dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__,
+                        intf->cur_altsetting->desc.bInterfaceNumber);
+@@ -1024,8 +1024,9 @@ void dvb_usbv2_disconnect(struct usb_interface *intf)
+ 
+        dvb_usbv2_exit(d);
+ 
+-       dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n",
+-                       KBUILD_MODNAME, name);
++       pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n",
++               KBUILD_MODNAME, drvname, devname);
++       kfree(devname);
+ }
+ EXPORT_SYMBOL(dvb_usbv2_disconnect);
+ 
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index c11772a..8beb962 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -18,6 +18,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://CVE-2017-7487.patch \
            file://CVE-2017-1000364.patch \
            file://CVE-2017-8063.patch \
+           file://CVE-2017-8064.patch \
            "
 
 LINUX_KERNEL_TYPE = "tiny"