diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-22 11:17:37 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2017-09-22 14:14:19 +0200 |
commit | 3368e0822dc6b48f3a3603512636761a3cab6ea3 (patch) | |
tree | 3af03b3ddb0c77613b70895d473052eff10d5ce7 | |
parent | dbbe5f06c9db311b72e891437024aad064714813 (diff) | |
download | meta-enea-bsp-arm-3368e0822dc6b48f3a3603512636761a3cab6ea3.tar.gz |
linux-cavium: CVE-2017-8067
virtio_console.c interacts incorrectly with the CONFIG_VMAP_STACK option
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-8067.patch | 58 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8067.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8067.patch new file mode 100644 index 0000000..457bd89 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8067.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 86c6667f6a5f6bdb392d8ffbe58fbcbcf6db2704 Mon Sep 17 00:00:00 2001 | ||
2 | From: Omar Sandoval <osandov@fb.com> | ||
3 | Date: Wed, 1 Feb 2017 00:02:27 -0800 | ||
4 | Subject: [PATCH] virtio-console: avoid DMA from stack | ||
5 | |||
6 | commit c4baad50297d84bde1a7ad45e50c73adae4a2192 upstream. | ||
7 | |||
8 | put_chars() stuffs the buffer it gets into an sg, but that buffer may be | ||
9 | on the stack. This breaks with CONFIG_VMAP_STACK=y (for me, it | ||
10 | manifested as printks getting turned into NUL bytes). | ||
11 | |||
12 | CVE: CVE-2017-8067 | ||
13 | Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=86c6667f6a5f6bdb392d8ffbe58fbcbcf6db2704] | ||
14 | |||
15 | Signed-off-by: Omar Sandoval <osandov@fb.com> | ||
16 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
17 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
18 | Cc: Ben Hutchings <ben@decadent.org.uk> | ||
19 | Cc: Brad Spengler <spender@grsecurity.net> | ||
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | drivers/char/virtio_console.c | 12 ++++++++++-- | ||
24 | 1 file changed, 10 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c | ||
27 | index 5649234..471a301 100644 | ||
28 | --- a/drivers/char/virtio_console.c | ||
29 | +++ b/drivers/char/virtio_console.c | ||
30 | @@ -1136,6 +1136,8 @@ static int put_chars(u32 vtermno, const char *buf, int count) | ||
31 | { | ||
32 | struct port *port; | ||
33 | struct scatterlist sg[1]; | ||
34 | + void *data; | ||
35 | + int ret; | ||
36 | |||
37 | if (unlikely(early_put_chars)) | ||
38 | return early_put_chars(vtermno, buf, count); | ||
39 | @@ -1144,8 +1146,14 @@ static int put_chars(u32 vtermno, const char *buf, int count) | ||
40 | if (!port) | ||
41 | return -EPIPE; | ||
42 | |||
43 | - sg_init_one(sg, buf, count); | ||
44 | - return __send_to_port(port, sg, 1, count, (void *)buf, false); | ||
45 | + data = kmemdup(buf, count, GFP_ATOMIC); | ||
46 | + if (!data) | ||
47 | + return -ENOMEM; | ||
48 | + | ||
49 | + sg_init_one(sg, data, count); | ||
50 | + ret = __send_to_port(port, sg, 1, count, data, false); | ||
51 | + kfree(data); | ||
52 | + return ret; | ||
53 | } | ||
54 | |||
55 | /* | ||
56 | -- | ||
57 | 1.9.1 | ||
58 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index d8c3adb..b0d7ea5 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -20,6 +20,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
20 | file://CVE-2017-8063.patch \ | 20 | file://CVE-2017-8063.patch \ |
21 | file://CVE-2017-8064.patch \ | 21 | file://CVE-2017-8064.patch \ |
22 | file://CVE-2017-8066.patch \ | 22 | file://CVE-2017-8066.patch \ |
23 | file://CVE-2017-8067.patch \ | ||
23 | " | 24 | " |
24 | 25 | ||
25 | LINUX_KERNEL_TYPE = "tiny" | 26 | LINUX_KERNEL_TYPE = "tiny" |