linux-cavium: CVE-2017-8831

Double fetch vulnerability in saa7164_bus_get function Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8831 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 15:05:15 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-10-02 09:41:30 +0200
commit: 5484a6476e1dad17e22357c3bb84bfdaaf7cea3e (patch)
tree: e11128886d915d3e3ac4849c278714e23a5a976f
parent: 5374c76b359fa7a773453e7d4232025ddc11e2fb (diff)
download: meta-enea-bsp-arm-5484a6476e1dad17e22357c3bb84bfdaaf7cea3e.tar.gz
2 files changed, 76 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch
new file mode 100644
index 0000000..cfa533a
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch
@@ -0,0 +1,75 @@
+From 354dd3924a2e43806774953de536257548b5002c Mon Sep 17 00:00:00 2001
+From: Steven Toth <stoth@kernellabs.com>
+Date: Tue, 6 Jun 2017 08:30:27 -0400
+Subject: [PATCH] [PATCH] saa7164: Bug - Double fetch PCIe access condition
+Avoid a double fetch by reusing the values from the prior transfer.
+Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
+Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting.
+CVE: CVE-2017-8831
+Upstream-Status: Backport [backport from ...
+Signed-off-by: Steven Toth <stoth@kernellabs.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
+index b2ff82fa7116..ecfeac5cdbed 100644
+--- a/drivers/media/pci/saa7164/saa7164-bus.c
+++ b/drivers/media/pci/saa7164/saa7164-bus.c
+@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+        msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
+        msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
+        msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
+       memcpy(msg, &msg_tmp, sizeof(*msg));
+ 
+        /* No need to update the read positions, because this was a peek */
+        /* If the caller specifically want to peek, return */
+        if (peekonly) {
+-               memcpy(msg, &msg_tmp, sizeof(*msg));
+                goto peekout;
+        }
+ 
+@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+                space_rem = bus->m_dwSizeGetRing - curr_grp;
+ 
+                if (space_rem < sizeof(*msg)) {
+-                       /* msg wraps around the ring */
+-                       memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
+-                       memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
+-                               sizeof(*msg) - space_rem);
+                        if (buf)
+                                memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
+                                        space_rem, buf_size);
+ 
+                } else if (space_rem == sizeof(*msg)) {
+-                       memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+                        if (buf)
+                                memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
+                } else {
+                        /* Additional data wraps around the ring */
+-                       memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+                        if (buf) {
+                                memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
+                                        sizeof(*msg), space_rem - sizeof(*msg));
+@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+ 
+        } else {
+                /* No wrapping */
+-               memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+                if (buf)
+                        memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
+                                buf_size);
+        }
+-       /* Convert from little endian to CPU */
+-       msg->size = le16_to_cpu((__force __le16)msg->size);
+-       msg->command = le32_to_cpu((__force __le32)msg->command);
+-       msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
+ 
+        /* Update the read positions, adjusting the ring */
+        saa7164_writel(bus->m_dwGetReadPos, new_grp);
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 6e79f44..0089d62 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -36,6 +36,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-8067.patch \
           file://CVE-2017-8068.patch \
           file://CVE-2017-8069.patch \
+           file://CVE-2017-8831.patch \
           file://CVE-2017-1000364.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 15:05:15 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-10-02 09:41:30 +0200
commit	5484a6476e1dad17e22357c3bb84bfdaaf7cea3e (patch)
tree	e11128886d915d3e3ac4849c278714e23a5a976f
parent	5374c76b359fa7a773453e7d4232025ddc11e2fb (diff)
download	meta-enea-bsp-arm-5484a6476e1dad17e22357c3bb84bfdaaf7cea3e.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch new file mode 100644 index 0000000..cfa533a --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch
@@ -0,0 +1,75 @@
		1	From 354dd3924a2e43806774953de536257548b5002c Mon Sep 17 00:00:00 2001
		2	From: Steven Toth <stoth@kernellabs.com>
		3	Date: Tue, 6 Jun 2017 08:30:27 -0400
		4	Subject: [PATCH] [PATCH] saa7164: Bug - Double fetch PCIe access condition
		5
		6	Avoid a double fetch by reusing the values from the prior transfer.
		7
		8	Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
		9
		10	Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting.
		11
		12	CVE: CVE-2017-8831
		13	Upstream-Status: Backport [backport from ...
		14
		15	Signed-off-by: Steven Toth <stoth@kernellabs.com>
		16	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		17	---
		18	drivers/media/pci/saa7164/saa7164-bus.c \| 13 +------------
		19	1 file changed, 1 insertion(+), 12 deletions(-)
		20
		21	diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
		22	index b2ff82fa7116..ecfeac5cdbed 100644
		23	--- a/drivers/media/pci/saa7164/saa7164-bus.c
		24	+++ b/drivers/media/pci/saa7164/saa7164-bus.c
		25	@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev dev, struct tmComResInfo msg,
		26	msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
		27	msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
		28	msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
		29	+ memcpy(msg, &msg_tmp, sizeof(*msg));
		30
		31	/* No need to update the read positions, because this was a peek */
		32	/* If the caller specifically want to peek, return */
		33	if (peekonly) {
		34	- memcpy(msg, &msg_tmp, sizeof(*msg));
		35	goto peekout;
		36	}
		37
		38	@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev dev, struct tmComResInfo msg,
		39	space_rem = bus->m_dwSizeGetRing - curr_grp;
		40
		41	if (space_rem < sizeof(*msg)) {
		42	- /* msg wraps around the ring */
		43	- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
		44	- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
		45	- sizeof(*msg) - space_rem);
		46	if (buf)
		47	memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
		48	space_rem, buf_size);
		49
		50	} else if (space_rem == sizeof(*msg)) {
		51	- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
		52	if (buf)
		53	memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
		54	} else {
		55	/* Additional data wraps around the ring */
		56	- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
		57	if (buf) {
		58	memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
		59	sizeof(msg), space_rem - sizeof(msg));
		60	@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev dev, struct tmComResInfo msg,
		61
		62	} else {
		63	/* No wrapping */
		64	- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
		65	if (buf)
		66	memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
		67	buf_size);
		68	}
		69	- /* Convert from little endian to CPU */
		70	- msg->size = le16_to_cpu((__force __le16)msg->size);
		71	- msg->command = le32_to_cpu((__force __le32)msg->command);
		72	- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
		73
		74	/* Update the read positions, adjusting the ring */
		75	saa7164_writel(bus->m_dwGetReadPos, new_grp);


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 6e79f44..0089d62 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -36,6 +36,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
36	file://CVE-2017-8067.patch \	36	file://CVE-2017-8067.patch \
37	file://CVE-2017-8068.patch \	37	file://CVE-2017-8068.patch \
38	file://CVE-2017-8069.patch \	38	file://CVE-2017-8069.patch \
		39	file://CVE-2017-8831.patch \
39	file://CVE-2017-1000364.patch \	40	file://CVE-2017-1000364.patch \
40	"	41	"
41		42