linux-cavium: CVE-2017-8063

kernel: cxusb.c interacts incorrectly with the CONFIG_VMAP_STACK option Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-22 11:17:34 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-09-22 14:14:09 +0200
commit: 598cd7cbf4afb8759a41b437e9b86b9de3f66965 (patch)
tree: 784cb90cb219b53c2aff62e75aa19438295fe276
parent: 43b5db409353d4316a2aad7e426fd713a4c01491 (diff)
download: meta-enea-bsp-arm-598cd7cbf4afb8759a41b437e9b86b9de3f66965.tar.gz
2 files changed, 71 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch
new file mode 100644
index 0000000..13a1ef0
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch
@@ -0,0 +1,70 @@
+From fb00319317c152bf3528df13a54c28bf8c5daa55 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
+Date: Sun, 5 Feb 2017 12:57:59 -0200
+Subject: [PATCH] cxusb: Use a dma capable buffer also for reading
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+commit 3f190e3aec212fc8c61e202c51400afa7384d4bc upstream.
+Commit 17ce039b4e54 ("[media] cxusb: don't do DMA on stack")
+added a kmalloc'ed bounce buffer for writes, but missed to do the same
+for reads. As the read only happens after the write is finished, we can
+reuse the same buffer.
+As dvb_usb_generic_rw handles a read length of 0 by itself, avoid calling
+it using the dvb_usb_generic_read wrapper function.
+CVE: CVE-2017-8063
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=fb00319317c152bf3528df13a54c28bf8c5daa55]
+Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/media/usb/dvb-usb/cxusb.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
+index 2434030..9fd43a3 100644
+--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -59,23 +59,24 @@ static int cxusb_ctrl_msg(struct dvb_usb_device *d,
+                          u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen)
+ {
+        struct cxusb_state *st = d->priv;
+-       int ret, wo;
+       int ret;
+ 
+        if (1 + wlen > MAX_XFER_SIZE) {
+                warn("i2c wr: len=%d is too big!\n", wlen);
+                return -EOPNOTSUPP;
+        }
+ 
+-       wo = (rbuf == NULL || rlen == 0); /* write-only */
+       if (rlen > MAX_XFER_SIZE) {
+               warn("i2c rd: len=%d is too big!\n", rlen);
+               return -EOPNOTSUPP;
+       }
+ 
+        mutex_lock(&d->data_mutex);
+        st->data[0] = cmd;
+        memcpy(&st->data[1], wbuf, wlen);
+-       if (wo)
+-               ret = dvb_usb_generic_write(d, st->data, 1 + wlen);
+-       else
+-               ret = dvb_usb_generic_rw(d, st->data, 1 + wlen,
+-                                        rbuf, rlen, 0);
+       ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0);
+       if (!ret && rbuf && rlen)
+               memcpy(rbuf, st->data, rlen);
+ 
+        mutex_unlock(&d->data_mutex);
+        return ret;
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 4508583..c11772a 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -17,6 +17,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://dts \
           file://CVE-2017-7487.patch \
           file://CVE-2017-1000364.patch \
+           file://CVE-2017-8063.patch \
           "
 LINUX_KERNEL_TYPE = "tiny"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-22 11:17:34 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-09-22 14:14:09 +0200
commit	598cd7cbf4afb8759a41b437e9b86b9de3f66965 (patch)
tree	784cb90cb219b53c2aff62e75aa19438295fe276
parent	43b5db409353d4316a2aad7e426fd713a4c01491 (diff)
download	meta-enea-bsp-arm-598cd7cbf4afb8759a41b437e9b86b9de3f66965.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch new file mode 100644 index 0000000..13a1ef0 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch
@@ -0,0 +1,70 @@
		1	From fb00319317c152bf3528df13a54c28bf8c5daa55 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
		3	Date: Sun, 5 Feb 2017 12:57:59 -0200
		4	Subject: [PATCH] cxusb: Use a dma capable buffer also for reading
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	commit 3f190e3aec212fc8c61e202c51400afa7384d4bc upstream.
		10
		11	Commit 17ce039b4e54 ("[media] cxusb: don't do DMA on stack")
		12	added a kmalloc'ed bounce buffer for writes, but missed to do the same
		13	for reads. As the read only happens after the write is finished, we can
		14	reuse the same buffer.
		15
		16	As dvb_usb_generic_rw handles a read length of 0 by itself, avoid calling
		17	it using the dvb_usb_generic_read wrapper function.
		18
		19	CVE: CVE-2017-8063
		20	Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=fb00319317c152bf3528df13a54c28bf8c5daa55]
		21
		22	Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
		23	Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
		24	Cc: Ben Hutchings <ben@decadent.org.uk>
		25	Cc: Brad Spengler <spender@grsecurity.net>
		26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		28	---
		29	drivers/media/usb/dvb-usb/cxusb.c \| 15 ++++++++-------
		30	1 file changed, 8 insertions(+), 7 deletions(-)
		31
		32	diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
		33	index 2434030..9fd43a3 100644
		34	--- a/drivers/media/usb/dvb-usb/cxusb.c
		35	+++ b/drivers/media/usb/dvb-usb/cxusb.c
		36	@@ -59,23 +59,24 @@ static int cxusb_ctrl_msg(struct dvb_usb_device *d,
		37	u8 cmd, u8 wbuf, int wlen, u8 rbuf, int rlen)
		38	{
		39	struct cxusb_state *st = d->priv;
		40	- int ret, wo;
		41	+ int ret;
		42
		43	if (1 + wlen > MAX_XFER_SIZE) {
		44	warn("i2c wr: len=%d is too big!\n", wlen);
		45	return -EOPNOTSUPP;
		46	}
		47
		48	- wo = (rbuf == NULL \|\| rlen == 0); /* write-only */
		49	+ if (rlen > MAX_XFER_SIZE) {
		50	+ warn("i2c rd: len=%d is too big!\n", rlen);
		51	+ return -EOPNOTSUPP;
		52	+ }
		53
		54	mutex_lock(&d->data_mutex);
		55	st->data[0] = cmd;
		56	memcpy(&st->data[1], wbuf, wlen);
		57	- if (wo)
		58	- ret = dvb_usb_generic_write(d, st->data, 1 + wlen);
		59	- else
		60	- ret = dvb_usb_generic_rw(d, st->data, 1 + wlen,
		61	- rbuf, rlen, 0);
		62	+ ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0);
		63	+ if (!ret && rbuf && rlen)
		64	+ memcpy(rbuf, st->data, rlen);
		65
		66	mutex_unlock(&d->data_mutex);
		67	return ret;
		68	--
		69	1.9.1
		70


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 4508583..c11772a 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -17,6 +17,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
17	file://dts \	17	file://dts \
18	file://CVE-2017-7487.patch \	18	file://CVE-2017-7487.patch \
19	file://CVE-2017-1000364.patch \	19	file://CVE-2017-1000364.patch \
		20	file://CVE-2017-8063.patch \
20	"	21	"
21		22
22	LINUX_KERNEL_TYPE = "tiny"	23	LINUX_KERNEL_TYPE = "tiny"