linux-cavium: CVE-2017-8068

pegasus.c interacts incorrectly with the CONFIG_VMAP_STACK option Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-22 11:17:38 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-09-22 14:14:23 +0200
commit: 7529dbc5f89205edfdcd5efcc4c431f9a39566e0 (patch)
tree: 679993d4cbaf74578141bbbe6e5e4c763d2576d6
parent: 3368e0822dc6b48f3a3603512636761a3cab6ea3 (diff)
download: meta-enea-bsp-arm-7529dbc5f89205edfdcd5efcc4c431f9a39566e0.tar.gz
2 files changed, 102 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch
new file mode 100644
index 0000000..3529b21
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch
@@ -0,0 +1,101 @@
+From 878b015bcc726560b13be2d906caf6923428f05d Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 4 Feb 2017 16:56:03 +0000
+Subject: [PATCH] pegasus: Use heap buffers for all register access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+[ Upstream commit 5593523f968bc86d42a035c6df47d5e0979b5ace ]
+Allocating USB buffers on the stack is not portable, and no longer
+works on x86_64 (with VMAP_STACK enabled as per default).
+CVE: CVE-2017-8068
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=878b015bcc726560b13be2d906caf6923428f05d]
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+References: https://bugs.debian.org/852556
+Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
+Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/usb/pegasus.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
+index 1434e5d..ee40ac2 100644
+--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
+@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
+ 
+ static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
+ {
+       u8 *buf;
+        int ret;
+ 
+       buf = kmalloc(size, GFP_NOIO);
+       if (!buf)
+               return -ENOMEM;
+
+        ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
+                              PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
+-                             indx, data, size, 1000);
+                             indx, buf, size, 1000);
+        if (ret < 0)
+                netif_dbg(pegasus, drv, pegasus->net,
+                          "%s returned %d\n", __func__, ret);
+       else if (ret <= size)
+               memcpy(data, buf, ret);
+       kfree(buf);
+        return ret;
+ }
+ 
+-static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
+                        const void *data)
+ {
+       u8 *buf;
+        int ret;
+ 
+       buf = kmemdup(data, size, GFP_NOIO);
+       if (!buf)
+               return -ENOMEM;
+
+        ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
+                              PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
+-                             indx, data, size, 100);
+                             indx, buf, size, 100);
+        if (ret < 0)
+                netif_dbg(pegasus, drv, pegasus->net,
+                          "%s returned %d\n", __func__, ret);
+       kfree(buf);
+        return ret;
+ }
+ 
+ static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
+ {
+       u8 *buf;
+        int ret;
+ 
+       buf = kmemdup(&data, 1, GFP_NOIO);
+       if (!buf)
+               return -ENOMEM;
+
+        ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
+                              PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
+-                             indx, &data, 1, 1000);
+                             indx, buf, 1, 1000);
+        if (ret < 0)
+                netif_dbg(pegasus, drv, pegasus->net,
+                          "%s returned %d\n", __func__, ret);
+       kfree(buf);
+        return ret;
+ }
+ 
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index b0d7ea5..9115ece 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -21,6 +21,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-8064.patch \
           file://CVE-2017-8066.patch \
           file://CVE-2017-8067.patch \
+           file://CVE-2017-8068.patch \
           "
 LINUX_KERNEL_TYPE = "tiny"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-22 11:17:38 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-09-22 14:14:23 +0200
commit	7529dbc5f89205edfdcd5efcc4c431f9a39566e0 (patch)
tree	679993d4cbaf74578141bbbe6e5e4c763d2576d6
parent	3368e0822dc6b48f3a3603512636761a3cab6ea3 (diff)
download	meta-enea-bsp-arm-7529dbc5f89205edfdcd5efcc4c431f9a39566e0.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch new file mode 100644 index 0000000..3529b21 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch
@@ -0,0 +1,101 @@
		1	From 878b015bcc726560b13be2d906caf6923428f05d Mon Sep 17 00:00:00 2001
		2	From: Ben Hutchings <ben@decadent.org.uk>
		3	Date: Sat, 4 Feb 2017 16:56:03 +0000
		4	Subject: [PATCH] pegasus: Use heap buffers for all register access
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	[ Upstream commit 5593523f968bc86d42a035c6df47d5e0979b5ace ]
		10
		11	Allocating USB buffers on the stack is not portable, and no longer
		12	works on x86_64 (with VMAP_STACK enabled as per default).
		13
		14	CVE: CVE-2017-8068
		15	Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=878b015bcc726560b13be2d906caf6923428f05d]
		16
		17	Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
		18	References: https://bugs.debian.org/852556
		19	Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
		20	Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
		21	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
		22	Signed-off-by: David S. Miller <davem@davemloft.net>
		23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		24	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		25	---
		26	drivers/net/usb/pegasus.c \| 29 +++++++++++++++++++++++++----
		27	1 file changed, 25 insertions(+), 4 deletions(-)
		28
		29	diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
		30	index 1434e5d..ee40ac2 100644
		31	--- a/drivers/net/usb/pegasus.c
		32	+++ b/drivers/net/usb/pegasus.c
		33	@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
		34
		35	static int get_registers(pegasus_t pegasus, __u16 indx, __u16 size, void data)
		36	{
		37	+ u8 *buf;
		38	int ret;
		39
		40	+ buf = kmalloc(size, GFP_NOIO);
		41	+ if (!buf)
		42	+ return -ENOMEM;
		43	+
		44	ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
		45	PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
		46	- indx, data, size, 1000);
		47	+ indx, buf, size, 1000);
		48	if (ret < 0)
		49	netif_dbg(pegasus, drv, pegasus->net,
		50	"%s returned %d\n", __func__, ret);
		51	+ else if (ret <= size)
		52	+ memcpy(data, buf, ret);
		53	+ kfree(buf);
		54	return ret;
		55	}
		56
		57	-static int set_registers(pegasus_t pegasus, __u16 indx, __u16 size, void data)
		58	+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
		59	+ const void *data)
		60	{
		61	+ u8 *buf;
		62	int ret;
		63
		64	+ buf = kmemdup(data, size, GFP_NOIO);
		65	+ if (!buf)
		66	+ return -ENOMEM;
		67	+
		68	ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
		69	PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
		70	- indx, data, size, 100);
		71	+ indx, buf, size, 100);
		72	if (ret < 0)
		73	netif_dbg(pegasus, drv, pegasus->net,
		74	"%s returned %d\n", __func__, ret);
		75	+ kfree(buf);
		76	return ret;
		77	}
		78
		79	static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
		80	{
		81	+ u8 *buf;
		82	int ret;
		83
		84	+ buf = kmemdup(&data, 1, GFP_NOIO);
		85	+ if (!buf)
		86	+ return -ENOMEM;
		87	+
		88	ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
		89	PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
		90	- indx, &data, 1, 1000);
		91	+ indx, buf, 1, 1000);
		92	if (ret < 0)
		93	netif_dbg(pegasus, drv, pegasus->net,
		94	"%s returned %d\n", __func__, ret);
		95	+ kfree(buf);
		96	return ret;
		97	}
		98
		99	--
		100	1.9.1
		101


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index b0d7ea5..9115ece 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -21,6 +21,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
21	file://CVE-2017-8064.patch \	21	file://CVE-2017-8064.patch \
22	file://CVE-2017-8066.patch \	22	file://CVE-2017-8066.patch \
23	file://CVE-2017-8067.patch \	23	file://CVE-2017-8067.patch \
		24	file://CVE-2017-8068.patch \
24	"	25	"
25		26
26	LINUX_KERNEL_TYPE = "tiny"	27	LINUX_KERNEL_TYPE = "tiny"