ttusb-dec: CVE-2014-8884

Fixes buffer overflow in ioctl. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8884 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/ ?id=482c6cb2dfb40838d67b0ba844b4b3d0af0f3d20 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-15 13:57:30 +0100
committer: Zhenhua Luo <zhenhua.luo@nxp.com> 2015-12-21 13:55:47 +0800
commit: 210e6d5bd15a7b6dede180e2c4a8f9d5d4484e92 (patch)
tree: d171974b1cb414dde1fdfade296d5173f4ad0a2a
parent: f297dfce5ef0fe2d1247b8f167beca1389e1a355 (diff)
download: meta-fsl-ppc-210e6d5bd15a7b6dede180e2c4a8f9d5d4484e92.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch b/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch
new file mode 100644
index 0000000..ae27944
--- /dev/null
+++ b/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch
@@ -0,0 +1,37 @@
+commit 482c6cb2dfb40838d67b0ba844b4b3d0af0f3d20
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 Sep 2014 09:09:28 -0300
+Subject: [media] ttusb-dec: buffer overflow in ioctl
+commit f2e323ec96077642d397bb1c355def536d489d16 upstream.
+We need to add a limit check here so we don't overflow the buffer.
+Fixes CVE-2014-8884
+Upstream-Status: Backport
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/media/usb/ttusb-dec/ttusbdecfe.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/drivers/media/usb/ttusb-dec/ttusbdecfe.c b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
+index 5c45c9d..9c29552 100644
+--- a/drivers/media/usb/ttusb-dec/ttusbdecfe.c
+++ b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
+@@ -156,6 +156,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
+                   0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x00 };
+ 
+       if (cmd->msg_len > sizeof(b) - 4)
+               return -EINVAL;
+
+        memcpy(&b[4], cmd->msg, cmd->msg_len);
+ 
+        state->config->send_command(fe, 0x72,
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index f078518..e89a289 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -34,6 +34,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://fs-isofs-CVE-2014-9420.patch \
    file://udp-CVE-2015-5364_CVE-2015-5366.patch \
    file://mm-CVE-2014-3122.patch \
+    file://media-ttusb-dec-CVE-2014-8884.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-15 13:57:30 +0100
committer	Zhenhua Luo <zhenhua.luo@nxp.com>	2015-12-21 13:55:47 +0800
commit	210e6d5bd15a7b6dede180e2c4a8f9d5d4484e92 (patch)
tree	d171974b1cb414dde1fdfade296d5173f4ad0a2a
parent	f297dfce5ef0fe2d1247b8f167beca1389e1a355 (diff)
download	meta-fsl-ppc-210e6d5bd15a7b6dede180e2c4a8f9d5d4484e92.tar.gz

diff --git a/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch b/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch new file mode 100644 index 0000000..ae27944 --- /dev/null +++ b/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch
@@ -0,0 +1,37 @@
		1	commit 482c6cb2dfb40838d67b0ba844b4b3d0af0f3d20
		2	Author: Dan Carpenter <dan.carpenter@oracle.com>
		3	Date: Fri, 5 Sep 2014 09:09:28 -0300
		4	Subject: [media] ttusb-dec: buffer overflow in ioctl
		5
		6	commit f2e323ec96077642d397bb1c355def536d489d16 upstream.
		7
		8	We need to add a limit check here so we don't overflow the buffer.
		9
		10	Fixes CVE-2014-8884
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
		14	Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
		15	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		16	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		17	---
		18	drivers/media/usb/ttusb-dec/ttusbdecfe.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/drivers/media/usb/ttusb-dec/ttusbdecfe.c b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
		22	index 5c45c9d..9c29552 100644
		23	--- a/drivers/media/usb/ttusb-dec/ttusbdecfe.c
		24	+++ b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
		25	@@ -156,6 +156,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
		26	0x00, 0x00, 0x00, 0x00,
		27	0x00, 0x00 };
		28
		29	+ if (cmd->msg_len > sizeof(b) - 4)
		30	+ return -EINVAL;
		31	+
		32	memcpy(&b[4], cmd->msg, cmd->msg_len);
		33
		34	state->config->send_command(fe, 0x72,
		35	--
		36	cgit v0.11.2
		37


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index f078518..e89a289 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -34,6 +34,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
34	file://fs-isofs-CVE-2014-9420.patch \	34	file://fs-isofs-CVE-2014-9420.patch \
35	file://udp-CVE-2015-5364_CVE-2015-5366.patch \	35	file://udp-CVE-2015-5364_CVE-2015-5366.patch \
36	file://mm-CVE-2014-3122.patch \	36	file://mm-CVE-2014-3122.patch \
		37	file://media-ttusb-dec-CVE-2014-8884.patch \
37	"	38	"
38	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	39	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
39		40