diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 15:05:15 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2017-10-02 09:41:30 +0200 |
commit | 5484a6476e1dad17e22357c3bb84bfdaaf7cea3e (patch) | |
tree | e11128886d915d3e3ac4849c278714e23a5a976f | |
parent | 5374c76b359fa7a773453e7d4232025ddc11e2fb (diff) | |
download | meta-enea-bsp-arm-5484a6476e1dad17e22357c3bb84bfdaaf7cea3e.tar.gz |
linux-cavium: CVE-2017-8831
Double fetch vulnerability in saa7164_bus_get function
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8831
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch | 75 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 76 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch new file mode 100644 index 0000000..cfa533a --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 354dd3924a2e43806774953de536257548b5002c Mon Sep 17 00:00:00 2001 | ||
2 | From: Steven Toth <stoth@kernellabs.com> | ||
3 | Date: Tue, 6 Jun 2017 08:30:27 -0400 | ||
4 | Subject: [PATCH] [PATCH] saa7164: Bug - Double fetch PCIe access condition | ||
5 | |||
6 | Avoid a double fetch by reusing the values from the prior transfer. | ||
7 | |||
8 | Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559 | ||
9 | |||
10 | Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting. | ||
11 | |||
12 | CVE: CVE-2017-8831 | ||
13 | Upstream-Status: Backport [backport from ... | ||
14 | |||
15 | Signed-off-by: Steven Toth <stoth@kernellabs.com> | ||
16 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
17 | --- | ||
18 | drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------ | ||
19 | 1 file changed, 1 insertion(+), 12 deletions(-) | ||
20 | |||
21 | diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c | ||
22 | index b2ff82fa7116..ecfeac5cdbed 100644 | ||
23 | --- a/drivers/media/pci/saa7164/saa7164-bus.c | ||
24 | +++ b/drivers/media/pci/saa7164/saa7164-bus.c | ||
25 | @@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, | ||
26 | msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size); | ||
27 | msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command); | ||
28 | msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector); | ||
29 | + memcpy(msg, &msg_tmp, sizeof(*msg)); | ||
30 | |||
31 | /* No need to update the read positions, because this was a peek */ | ||
32 | /* If the caller specifically want to peek, return */ | ||
33 | if (peekonly) { | ||
34 | - memcpy(msg, &msg_tmp, sizeof(*msg)); | ||
35 | goto peekout; | ||
36 | } | ||
37 | |||
38 | @@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, | ||
39 | space_rem = bus->m_dwSizeGetRing - curr_grp; | ||
40 | |||
41 | if (space_rem < sizeof(*msg)) { | ||
42 | - /* msg wraps around the ring */ | ||
43 | - memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem); | ||
44 | - memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing, | ||
45 | - sizeof(*msg) - space_rem); | ||
46 | if (buf) | ||
47 | memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) - | ||
48 | space_rem, buf_size); | ||
49 | |||
50 | } else if (space_rem == sizeof(*msg)) { | ||
51 | - memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); | ||
52 | if (buf) | ||
53 | memcpy_fromio(buf, bus->m_pdwGetRing, buf_size); | ||
54 | } else { | ||
55 | /* Additional data wraps around the ring */ | ||
56 | - memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); | ||
57 | if (buf) { | ||
58 | memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + | ||
59 | sizeof(*msg), space_rem - sizeof(*msg)); | ||
60 | @@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, | ||
61 | |||
62 | } else { | ||
63 | /* No wrapping */ | ||
64 | - memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); | ||
65 | if (buf) | ||
66 | memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg), | ||
67 | buf_size); | ||
68 | } | ||
69 | - /* Convert from little endian to CPU */ | ||
70 | - msg->size = le16_to_cpu((__force __le16)msg->size); | ||
71 | - msg->command = le32_to_cpu((__force __le32)msg->command); | ||
72 | - msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector); | ||
73 | |||
74 | /* Update the read positions, adjusting the ring */ | ||
75 | saa7164_writel(bus->m_dwGetReadPos, new_grp); | ||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 6e79f44..0089d62 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -36,6 +36,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
36 | file://CVE-2017-8067.patch \ | 36 | file://CVE-2017-8067.patch \ |
37 | file://CVE-2017-8068.patch \ | 37 | file://CVE-2017-8068.patch \ |
38 | file://CVE-2017-8069.patch \ | 38 | file://CVE-2017-8069.patch \ |
39 | file://CVE-2017-8831.patch \ | ||
39 | file://CVE-2017-1000364.patch \ | 40 | file://CVE-2017-1000364.patch \ |
40 | " | 41 | " |
41 | 42 | ||