linux-cavium: CVE-2017-8069

rtl8150.c interacts incorrectly with the CONFIG_VMAP_STACK option Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8069 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-22 11:17:39 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-09-22 14:14:26 +0200
commit: 79b2f0f1e6b568dd5611118d7d0610e1df610e10 (patch)
tree: 0c6d207dec24d12a4e884967baf75f49959405b4
parent: 7529dbc5f89205edfdcd5efcc4c431f9a39566e0 (diff)
download: meta-enea-bsp-arm-79b2f0f1e6b568dd5611118d7d0610e1df610e10.tar.gz
2 files changed, 74 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8069.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8069.patch
new file mode 100644
index 0000000..11a3ee2
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8069.patch
@@ -0,0 +1,73 @@
+From e898f6f008aa91c154c9c8fb7be3fb9ec4d333ec Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 4 Feb 2017 16:56:32 +0000
+Subject: [PATCH] rtl8150: Use heap buffers for all register access
+[ Upstream commit 7926aff5c57b577ab0f43364ff0c59d968f6a414 ]
+Allocating USB buffers on the stack is not portable, and no longer
+works on x86_64 (with VMAP_STACK enabled as per default).
+CVE: CVE-2017-8069
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=e898f6f008aa91c154c9c8fb7be3fb9ec4d333ec]
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/usb/rtl8150.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 7c72bfa..dc4f7ea 100644
+--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
+@@ -155,16 +155,36 @@ struct async_req {
+ */
+ static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
+ {
+-       return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
+-                              RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
+-                              indx, 0, data, size, 500);
+       void *buf;
+       int ret;
+
+       buf = kmalloc(size, GFP_NOIO);
+       if (!buf)
+               return -ENOMEM;
+
+       ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
+                             RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
+                             indx, 0, buf, size, 500);
+       if (ret > 0 && ret <= size)
+               memcpy(data, buf, ret);
+       kfree(buf);
+       return ret;
+ }
+ 
+-static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data)
+ {
+-       return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+-                              RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
+-                              indx, 0, data, size, 500);
+       void *buf;
+       int ret;
+
+       buf = kmemdup(data, size, GFP_NOIO);
+       if (!buf)
+               return -ENOMEM;
+
+       ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+                             RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
+                             indx, 0, buf, size, 500);
+       kfree(buf);
+       return ret;
+ }
+ 
+ static void async_set_reg_cb(struct urb *urb)
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 9115ece..8b7fe31 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -22,6 +22,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-8066.patch \
           file://CVE-2017-8067.patch \
           file://CVE-2017-8068.patch \
+           file://CVE-2017-8069.patch \
           "
 LINUX_KERNEL_TYPE = "tiny"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-22 11:17:39 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-09-22 14:14:26 +0200
commit	79b2f0f1e6b568dd5611118d7d0610e1df610e10 (patch)
tree	0c6d207dec24d12a4e884967baf75f49959405b4
parent	7529dbc5f89205edfdcd5efcc4c431f9a39566e0 (diff)
download	meta-enea-bsp-arm-79b2f0f1e6b568dd5611118d7d0610e1df610e10.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8069.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8069.patch new file mode 100644 index 0000000..11a3ee2 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8069.patch
@@ -0,0 +1,73 @@
		1	From e898f6f008aa91c154c9c8fb7be3fb9ec4d333ec Mon Sep 17 00:00:00 2001
		2	From: Ben Hutchings <ben@decadent.org.uk>
		3	Date: Sat, 4 Feb 2017 16:56:32 +0000
		4	Subject: [PATCH] rtl8150: Use heap buffers for all register access
		5
		6	[ Upstream commit 7926aff5c57b577ab0f43364ff0c59d968f6a414 ]
		7
		8	Allocating USB buffers on the stack is not portable, and no longer
		9	works on x86_64 (with VMAP_STACK enabled as per default).
		10
		11	CVE: CVE-2017-8069
		12	Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=e898f6f008aa91c154c9c8fb7be3fb9ec4d333ec]
		13
		14	Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
		15	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
		16	Signed-off-by: David S. Miller <davem@davemloft.net>
		17	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		19	---
		20	drivers/net/usb/rtl8150.c \| 34 +++++++++++++++++++++++++++-------
		21	1 file changed, 27 insertions(+), 7 deletions(-)
		22
		23	diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
		24	index 7c72bfa..dc4f7ea 100644
		25	--- a/drivers/net/usb/rtl8150.c
		26	+++ b/drivers/net/usb/rtl8150.c
		27	@@ -155,16 +155,36 @@ struct async_req {
		28	*/
		29	static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
		30	{
		31	- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
		32	- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
		33	- indx, 0, data, size, 500);
		34	+ void *buf;
		35	+ int ret;
		36	+
		37	+ buf = kmalloc(size, GFP_NOIO);
		38	+ if (!buf)
		39	+ return -ENOMEM;
		40	+
		41	+ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
		42	+ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
		43	+ indx, 0, buf, size, 500);
		44	+ if (ret > 0 && ret <= size)
		45	+ memcpy(data, buf, ret);
		46	+ kfree(buf);
		47	+ return ret;
		48	}
		49
		50	-static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
		51	+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data)
		52	{
		53	- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
		54	- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
		55	- indx, 0, data, size, 500);
		56	+ void *buf;
		57	+ int ret;
		58	+
		59	+ buf = kmemdup(data, size, GFP_NOIO);
		60	+ if (!buf)
		61	+ return -ENOMEM;
		62	+
		63	+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
		64	+ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
		65	+ indx, 0, buf, size, 500);
		66	+ kfree(buf);
		67	+ return ret;
		68	}
		69
		70	static void async_set_reg_cb(struct urb *urb)
		71	--
		72	1.9.1
		73


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 9115ece..8b7fe31 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -22,6 +22,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
22	file://CVE-2017-8066.patch \	22	file://CVE-2017-8066.patch \
23	file://CVE-2017-8067.patch \	23	file://CVE-2017-8067.patch \
24	file://CVE-2017-8068.patch \	24	file://CVE-2017-8068.patch \
		25	file://CVE-2017-8069.patch \
25	"	26	"
26		27
27	LINUX_KERNEL_TYPE = "tiny"	28	LINUX_KERNEL_TYPE = "tiny"