diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-22 11:17:34 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2017-09-22 14:14:09 +0200 |
commit | 598cd7cbf4afb8759a41b437e9b86b9de3f66965 (patch) | |
tree | 784cb90cb219b53c2aff62e75aa19438295fe276 | |
parent | 43b5db409353d4316a2aad7e426fd713a4c01491 (diff) | |
download | meta-enea-bsp-arm-598cd7cbf4afb8759a41b437e9b86b9de3f66965.tar.gz |
linux-cavium: CVE-2017-8063
kernel: cxusb.c interacts incorrectly with the CONFIG_VMAP_STACK option
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch | 70 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 71 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch new file mode 100644 index 0000000..13a1ef0 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From fb00319317c152bf3528df13a54c28bf8c5daa55 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de> | ||
3 | Date: Sun, 5 Feb 2017 12:57:59 -0200 | ||
4 | Subject: [PATCH] cxusb: Use a dma capable buffer also for reading | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | commit 3f190e3aec212fc8c61e202c51400afa7384d4bc upstream. | ||
10 | |||
11 | Commit 17ce039b4e54 ("[media] cxusb: don't do DMA on stack") | ||
12 | added a kmalloc'ed bounce buffer for writes, but missed to do the same | ||
13 | for reads. As the read only happens after the write is finished, we can | ||
14 | reuse the same buffer. | ||
15 | |||
16 | As dvb_usb_generic_rw handles a read length of 0 by itself, avoid calling | ||
17 | it using the dvb_usb_generic_read wrapper function. | ||
18 | |||
19 | CVE: CVE-2017-8063 | ||
20 | Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=fb00319317c152bf3528df13a54c28bf8c5daa55] | ||
21 | |||
22 | Signed-off-by: Stefan BrĂ¼ns <stefan.bruens@rwth-aachen.de> | ||
23 | Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> | ||
24 | Cc: Ben Hutchings <ben@decadent.org.uk> | ||
25 | Cc: Brad Spengler <spender@grsecurity.net> | ||
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
27 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
28 | --- | ||
29 | drivers/media/usb/dvb-usb/cxusb.c | 15 ++++++++------- | ||
30 | 1 file changed, 8 insertions(+), 7 deletions(-) | ||
31 | |||
32 | diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c | ||
33 | index 2434030..9fd43a3 100644 | ||
34 | --- a/drivers/media/usb/dvb-usb/cxusb.c | ||
35 | +++ b/drivers/media/usb/dvb-usb/cxusb.c | ||
36 | @@ -59,23 +59,24 @@ static int cxusb_ctrl_msg(struct dvb_usb_device *d, | ||
37 | u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen) | ||
38 | { | ||
39 | struct cxusb_state *st = d->priv; | ||
40 | - int ret, wo; | ||
41 | + int ret; | ||
42 | |||
43 | if (1 + wlen > MAX_XFER_SIZE) { | ||
44 | warn("i2c wr: len=%d is too big!\n", wlen); | ||
45 | return -EOPNOTSUPP; | ||
46 | } | ||
47 | |||
48 | - wo = (rbuf == NULL || rlen == 0); /* write-only */ | ||
49 | + if (rlen > MAX_XFER_SIZE) { | ||
50 | + warn("i2c rd: len=%d is too big!\n", rlen); | ||
51 | + return -EOPNOTSUPP; | ||
52 | + } | ||
53 | |||
54 | mutex_lock(&d->data_mutex); | ||
55 | st->data[0] = cmd; | ||
56 | memcpy(&st->data[1], wbuf, wlen); | ||
57 | - if (wo) | ||
58 | - ret = dvb_usb_generic_write(d, st->data, 1 + wlen); | ||
59 | - else | ||
60 | - ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, | ||
61 | - rbuf, rlen, 0); | ||
62 | + ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0); | ||
63 | + if (!ret && rbuf && rlen) | ||
64 | + memcpy(rbuf, st->data, rlen); | ||
65 | |||
66 | mutex_unlock(&d->data_mutex); | ||
67 | return ret; | ||
68 | -- | ||
69 | 1.9.1 | ||
70 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 4508583..c11772a 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -17,6 +17,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
17 | file://dts \ | 17 | file://dts \ |
18 | file://CVE-2017-7487.patch \ | 18 | file://CVE-2017-7487.patch \ |
19 | file://CVE-2017-1000364.patch \ | 19 | file://CVE-2017-1000364.patch \ |
20 | file://CVE-2017-8063.patch \ | ||
20 | " | 21 | " |
21 | 22 | ||
22 | LINUX_KERNEL_TYPE = "tiny" | 23 | LINUX_KERNEL_TYPE = "tiny" |