linux-cavium: CVE-2017-8066

gs_usb.c interacts incorrectly with the CONFIG_VMAP_STACK option Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-22 11:17:36 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-09-22 14:14:16 +0200
commit: dbbe5f06c9db311b72e891437024aad064714813 (patch)
tree: 35b09daf71f0bdc1786fa279e869a772c12f92fb
parent: 297af9adc87ab690e2531e10d84b62d72a4bd728 (diff)
download: meta-enea-bsp-arm-dbbe5f06c9db311b72e891437024aad064714813.tar.gz
2 files changed, 139 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch
new file mode 100644
index 0000000..82178b8
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch
@@ -0,0 +1,138 @@
+From cec7abd27e878e3c83dc9af41ee87a2e9d483ac0 Mon Sep 17 00:00:00 2001
+From: Ethan Zonca <e@ethanzonca.com>
+Date: Fri, 24 Feb 2017 11:27:36 -0500
+Subject: [PATCH] can: gs_usb: Don't use stack memory for USB transfers
+commit c919a3069c775c1c876bec55e00b2305d5125caa upstream.
+Fixes: 05ca5270005c can: gs_usb: add ethtool set_phys_id callback to locate physical device
+The gs_usb driver is performing USB transfers using buffers allocated on
+the stack. This causes the driver to not function with vmapped stacks.
+Instead, allocate memory for the transfer buffers.
+CVE: CVE-2017-8066
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=cec7abd27e878e3c83dc9af41ee87a2e9d483ac0]
+Signed-off-by: Ethan Zonca <e@ethanzonca.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/can/usb/gs_usb.c | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index 77e3cc0..a0dabd4 100644
+--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
+@@ -908,10 +908,14 @@ static int gs_usb_probe(struct usb_interface *intf,
+        struct gs_usb *dev;
+        int rc = -ENOMEM;
+        unsigned int icount, i;
+-       struct gs_host_config hconf = {
+-               .byte_order = 0x0000beef,
+-       };
+-       struct gs_device_config dconf;
+       struct gs_host_config *hconf;
+       struct gs_device_config *dconf;
+
+       hconf = kmalloc(sizeof(*hconf), GFP_KERNEL);
+       if (!hconf)
+               return -ENOMEM;
+
+       hconf->byte_order = 0x0000beef;
+ 
+        /* send host config */
+        rc = usb_control_msg(interface_to_usbdev(intf),
+@@ -920,16 +924,22 @@ static int gs_usb_probe(struct usb_interface *intf,
+                             USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+                             1,
+                             intf->altsetting[0].desc.bInterfaceNumber,
+-                            &hconf,
+-                            sizeof(hconf),
+                            hconf,
+                            sizeof(*hconf),
+                             1000);
+ 
+       kfree(hconf);
+
+        if (rc < 0) {
+                dev_err(&intf->dev, "Couldn't send data format (err=%d)\n",
+                        rc);
+                return rc;
+        }
+ 
+       dconf = kmalloc(sizeof(*dconf), GFP_KERNEL);
+       if (!dconf)
+               return -ENOMEM;
+
+        /* read device config */
+        rc = usb_control_msg(interface_to_usbdev(intf),
+                             usb_rcvctrlpipe(interface_to_usbdev(intf), 0),
+@@ -937,28 +947,33 @@ static int gs_usb_probe(struct usb_interface *intf,
+                             USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+                             1,
+                             intf->altsetting[0].desc.bInterfaceNumber,
+-                            &dconf,
+-                            sizeof(dconf),
+                            dconf,
+                            sizeof(*dconf),
+                             1000);
+        if (rc < 0) {
+                dev_err(&intf->dev, "Couldn't get device config: (err=%d)\n",
+                        rc);
+               kfree(dconf);
+                return rc;
+        }
+ 
+-       icount = dconf.icount + 1;
+       icount = dconf->icount + 1;
+        dev_info(&intf->dev, "Configuring for %d interfaces\n", icount);
+ 
+        if (icount > GS_MAX_INTF) {
+                dev_err(&intf->dev,
+                        "Driver cannot handle more that %d CAN interfaces\n",
+                        GS_MAX_INTF);
+               kfree(dconf);
+                return -EINVAL;
+        }
+ 
+        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+-       if (!dev)
+       if (!dev) {
+               kfree(dconf);
+                return -ENOMEM;
+       }
+
+        init_usb_anchor(&dev->rx_submitted);
+ 
+        atomic_set(&dev->active_channels, 0);
+@@ -967,7 +982,7 @@ static int gs_usb_probe(struct usb_interface *intf,
+        dev->udev = interface_to_usbdev(intf);
+ 
+        for (i = 0; i < icount; i++) {
+-               dev->canch[i] = gs_make_candev(i, intf, &dconf);
+               dev->canch[i] = gs_make_candev(i, intf, dconf);
+                if (IS_ERR_OR_NULL(dev->canch[i])) {
+                        /* save error code to return later */
+                        rc = PTR_ERR(dev->canch[i]);
+@@ -978,12 +993,15 @@ static int gs_usb_probe(struct usb_interface *intf,
+                                gs_destroy_candev(dev->canch[i]);
+ 
+                        usb_kill_anchored_urbs(&dev->rx_submitted);
+                       kfree(dconf);
+                        kfree(dev);
+                        return rc;
+                }
+                dev->canch[i]->parent = dev;
+        }
+ 
+       kfree(dconf);
+
+        return 0;
+ }
+ 
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 8beb962..d8c3adb 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-1000364.patch \
           file://CVE-2017-8063.patch \
           file://CVE-2017-8064.patch \
+           file://CVE-2017-8066.patch \
           "
 LINUX_KERNEL_TYPE = "tiny"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-22 11:17:36 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-09-22 14:14:16 +0200
commit	dbbe5f06c9db311b72e891437024aad064714813 (patch)
tree	35b09daf71f0bdc1786fa279e869a772c12f92fb
parent	297af9adc87ab690e2531e10d84b62d72a4bd728 (diff)
download	meta-enea-bsp-arm-dbbe5f06c9db311b72e891437024aad064714813.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch new file mode 100644 index 0000000..82178b8 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch
@@ -0,0 +1,138 @@
		1	From cec7abd27e878e3c83dc9af41ee87a2e9d483ac0 Mon Sep 17 00:00:00 2001
		2	From: Ethan Zonca <e@ethanzonca.com>
		3	Date: Fri, 24 Feb 2017 11:27:36 -0500
		4	Subject: [PATCH] can: gs_usb: Don't use stack memory for USB transfers
		5
		6	commit c919a3069c775c1c876bec55e00b2305d5125caa upstream.
		7
		8	Fixes: 05ca5270005c can: gs_usb: add ethtool set_phys_id callback to locate physical device
		9
		10	The gs_usb driver is performing USB transfers using buffers allocated on
		11	the stack. This causes the driver to not function with vmapped stacks.
		12	Instead, allocate memory for the transfer buffers.
		13
		14	CVE: CVE-2017-8066
		15	Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=cec7abd27e878e3c83dc9af41ee87a2e9d483ac0]
		16
		17	Signed-off-by: Ethan Zonca <e@ethanzonca.com>
		18	Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
		19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		21	---
		22	drivers/net/can/usb/gs_usb.c \| 40 +++++++++++++++++++++++++++++-----------
		23	1 file changed, 29 insertions(+), 11 deletions(-)
		24
		25	diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
		26	index 77e3cc0..a0dabd4 100644
		27	--- a/drivers/net/can/usb/gs_usb.c
		28	+++ b/drivers/net/can/usb/gs_usb.c
		29	@@ -908,10 +908,14 @@ static int gs_usb_probe(struct usb_interface *intf,
		30	struct gs_usb *dev;
		31	int rc = -ENOMEM;
		32	unsigned int icount, i;
		33	- struct gs_host_config hconf = {
		34	- .byte_order = 0x0000beef,
		35	- };
		36	- struct gs_device_config dconf;
		37	+ struct gs_host_config *hconf;
		38	+ struct gs_device_config *dconf;
		39	+
		40	+ hconf = kmalloc(sizeof(*hconf), GFP_KERNEL);
		41	+ if (!hconf)
		42	+ return -ENOMEM;
		43	+
		44	+ hconf->byte_order = 0x0000beef;
		45
		46	/* send host config */
		47	rc = usb_control_msg(interface_to_usbdev(intf),
		48	@@ -920,16 +924,22 @@ static int gs_usb_probe(struct usb_interface *intf,
		49	USB_DIR_OUT\|USB_TYPE_VENDOR\|USB_RECIP_INTERFACE,
		50	1,
		51	intf->altsetting[0].desc.bInterfaceNumber,
		52	- &hconf,
		53	- sizeof(hconf),
		54	+ hconf,
		55	+ sizeof(*hconf),
		56	1000);
		57
		58	+ kfree(hconf);
		59	+
		60	if (rc < 0) {
		61	dev_err(&intf->dev, "Couldn't send data format (err=%d)\n",
		62	rc);
		63	return rc;
		64	}
		65
		66	+ dconf = kmalloc(sizeof(*dconf), GFP_KERNEL);
		67	+ if (!dconf)
		68	+ return -ENOMEM;
		69	+
		70	/* read device config */
		71	rc = usb_control_msg(interface_to_usbdev(intf),
		72	usb_rcvctrlpipe(interface_to_usbdev(intf), 0),
		73	@@ -937,28 +947,33 @@ static int gs_usb_probe(struct usb_interface *intf,
		74	USB_DIR_IN\|USB_TYPE_VENDOR\|USB_RECIP_INTERFACE,
		75	1,
		76	intf->altsetting[0].desc.bInterfaceNumber,
		77	- &dconf,
		78	- sizeof(dconf),
		79	+ dconf,
		80	+ sizeof(*dconf),
		81	1000);
		82	if (rc < 0) {
		83	dev_err(&intf->dev, "Couldn't get device config: (err=%d)\n",
		84	rc);
		85	+ kfree(dconf);
		86	return rc;
		87	}
		88
		89	- icount = dconf.icount + 1;
		90	+ icount = dconf->icount + 1;
		91	dev_info(&intf->dev, "Configuring for %d interfaces\n", icount);
		92
		93	if (icount > GS_MAX_INTF) {
		94	dev_err(&intf->dev,
		95	"Driver cannot handle more that %d CAN interfaces\n",
		96	GS_MAX_INTF);
		97	+ kfree(dconf);
		98	return -EINVAL;
		99	}
		100
		101	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
		102	- if (!dev)
		103	+ if (!dev) {
		104	+ kfree(dconf);
		105	return -ENOMEM;
		106	+ }
		107	+
		108	init_usb_anchor(&dev->rx_submitted);
		109
		110	atomic_set(&dev->active_channels, 0);
		111	@@ -967,7 +982,7 @@ static int gs_usb_probe(struct usb_interface *intf,
		112	dev->udev = interface_to_usbdev(intf);
		113
		114	for (i = 0; i < icount; i++) {
		115	- dev->canch[i] = gs_make_candev(i, intf, &dconf);
		116	+ dev->canch[i] = gs_make_candev(i, intf, dconf);
		117	if (IS_ERR_OR_NULL(dev->canch[i])) {
		118	/* save error code to return later */
		119	rc = PTR_ERR(dev->canch[i]);
		120	@@ -978,12 +993,15 @@ static int gs_usb_probe(struct usb_interface *intf,
		121	gs_destroy_candev(dev->canch[i]);
		122
		123	usb_kill_anchored_urbs(&dev->rx_submitted);
		124	+ kfree(dconf);
		125	kfree(dev);
		126	return rc;
		127	}
		128	dev->canch[i]->parent = dev;
		129	}
		130
		131	+ kfree(dconf);
		132	+
		133	return 0;
		134	}
		135
		136	--
		137	1.9.1
		138


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 8beb962..d8c3adb 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
19	file://CVE-2017-1000364.patch \	19	file://CVE-2017-1000364.patch \
20	file://CVE-2017-8063.patch \	20	file://CVE-2017-8063.patch \
21	file://CVE-2017-8064.patch \	21	file://CVE-2017-8064.patch \
		22	file://CVE-2017-8066.patch \
22	"	23	"
23		24
24	LINUX_KERNEL_TYPE = "tiny"	25	LINUX_KERNEL_TYPE = "tiny"