linux-cavium: CVE-2017-8067

virtio_console.c interacts incorrectly with the CONFIG_VMAP_STACK option

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>

2 files changed, 59 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8067.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8067.patch
new file mode 100644
index 0000000..457bd89
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8067.patch
@@ -0,0 +1,58 @@
+From 86c6667f6a5f6bdb392d8ffbe58fbcbcf6db2704 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Wed, 1 Feb 2017 00:02:27 -0800
+Subject: [PATCH] virtio-console: avoid DMA from stack
+
+commit c4baad50297d84bde1a7ad45e50c73adae4a2192 upstream.
+
+put_chars() stuffs the buffer it gets into an sg, but that buffer may be
+on the stack. This breaks with CONFIG_VMAP_STACK=y (for me, it
+manifested as printks getting turned into NUL bytes).
+
+CVE: CVE-2017-8067
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=86c6667f6a5f6bdb392d8ffbe58fbcbcf6db2704]
+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/char/virtio_console.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index 5649234..471a301 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -1136,6 +1136,8 @@ static int put_chars(u32 vtermno, const char *buf, int count)
+ {
+        struct port *port;
+        struct scatterlist sg[1];
++       void *data;
++       int ret;
+ 
+        if (unlikely(early_put_chars))
+                return early_put_chars(vtermno, buf, count);
+@@ -1144,8 +1146,14 @@ static int put_chars(u32 vtermno, const char *buf, int count)
+        if (!port)
+                return -EPIPE;
+ 
+-       sg_init_one(sg, buf, count);
+-       return __send_to_port(port, sg, 1, count, (void *)buf, false);
++       data = kmemdup(buf, count, GFP_ATOMIC);
++       if (!data)
++               return -ENOMEM;
++
++       sg_init_one(sg, data, count);
++       ret = __send_to_port(port, sg, 1, count, data, false);
++       kfree(data);
++       return ret;
+ }
+ 
+ /*
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index d8c3adb..b0d7ea5 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -20,6 +20,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://CVE-2017-8063.patch \
            file://CVE-2017-8064.patch \
            file://CVE-2017-8066.patch \
+           file://CVE-2017-8067.patch \
            "
 
 LINUX_KERNEL_TYPE = "tiny"