From 598cd7cbf4afb8759a41b437e9b86b9de3f66965 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 22 Sep 2017 11:17:34 +0200 Subject: linux-cavium: CVE-2017-8063 kernel: cxusb.c interacts incorrectly with the CONFIG_VMAP_STACK option Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063 Signed-off-by: Sona Sarmadi Signed-off-by: Martin Borg --- .../linux/linux-cavium/CVE-2017-8063.patch | 70 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 71 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch new file mode 100644 index 0000000..13a1ef0 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8063.patch @@ -0,0 +1,70 @@ +From fb00319317c152bf3528df13a54c28bf8c5daa55 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20Br=C3=BCns?= +Date: Sun, 5 Feb 2017 12:57:59 -0200 +Subject: [PATCH] cxusb: Use a dma capable buffer also for reading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 3f190e3aec212fc8c61e202c51400afa7384d4bc upstream. + +Commit 17ce039b4e54 ("[media] cxusb: don't do DMA on stack") +added a kmalloc'ed bounce buffer for writes, but missed to do the same +for reads. As the read only happens after the write is finished, we can +reuse the same buffer. + +As dvb_usb_generic_rw handles a read length of 0 by itself, avoid calling +it using the dvb_usb_generic_read wrapper function. + +CVE: CVE-2017-8063 +Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=fb00319317c152bf3528df13a54c28bf8c5daa55] + +Signed-off-by: Stefan BrĂ¼ns +Signed-off-by: Mauro Carvalho Chehab +Cc: Ben Hutchings +Cc: Brad Spengler +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + drivers/media/usb/dvb-usb/cxusb.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c +index 2434030..9fd43a3 100644 +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -59,23 +59,24 @@ static int cxusb_ctrl_msg(struct dvb_usb_device *d, + u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen) + { + struct cxusb_state *st = d->priv; +- int ret, wo; ++ int ret; + + if (1 + wlen > MAX_XFER_SIZE) { + warn("i2c wr: len=%d is too big!\n", wlen); + return -EOPNOTSUPP; + } + +- wo = (rbuf == NULL || rlen == 0); /* write-only */ ++ if (rlen > MAX_XFER_SIZE) { ++ warn("i2c rd: len=%d is too big!\n", rlen); ++ return -EOPNOTSUPP; ++ } + + mutex_lock(&d->data_mutex); + st->data[0] = cmd; + memcpy(&st->data[1], wbuf, wlen); +- if (wo) +- ret = dvb_usb_generic_write(d, st->data, 1 + wlen); +- else +- ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, +- rbuf, rlen, 0); ++ ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0); ++ if (!ret && rbuf && rlen) ++ memcpy(rbuf, st->data, rlen); + + mutex_unlock(&d->data_mutex); + return ret; +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 4508583..c11772a 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -17,6 +17,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://dts \ file://CVE-2017-7487.patch \ file://CVE-2017-1000364.patch \ + file://CVE-2017-8063.patch \ " LINUX_KERNEL_TYPE = "tiny" -- cgit v1.2.3-54-g00ecf