diff options
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch | 101 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 102 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch new file mode 100644 index 0000000..3529b21 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From 878b015bcc726560b13be2d906caf6923428f05d Mon Sep 17 00:00:00 2001 | ||
2 | From: Ben Hutchings <ben@decadent.org.uk> | ||
3 | Date: Sat, 4 Feb 2017 16:56:03 +0000 | ||
4 | Subject: [PATCH] pegasus: Use heap buffers for all register access | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | [ Upstream commit 5593523f968bc86d42a035c6df47d5e0979b5ace ] | ||
10 | |||
11 | Allocating USB buffers on the stack is not portable, and no longer | ||
12 | works on x86_64 (with VMAP_STACK enabled as per default). | ||
13 | |||
14 | CVE: CVE-2017-8068 | ||
15 | Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=878b015bcc726560b13be2d906caf6923428f05d] | ||
16 | |||
17 | Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") | ||
18 | References: https://bugs.debian.org/852556 | ||
19 | Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> | ||
20 | Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> | ||
21 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
22 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
23 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
24 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
25 | --- | ||
26 | drivers/net/usb/pegasus.c | 29 +++++++++++++++++++++++++---- | ||
27 | 1 file changed, 25 insertions(+), 4 deletions(-) | ||
28 | |||
29 | diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c | ||
30 | index 1434e5d..ee40ac2 100644 | ||
31 | --- a/drivers/net/usb/pegasus.c | ||
32 | +++ b/drivers/net/usb/pegasus.c | ||
33 | @@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb) | ||
34 | |||
35 | static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) | ||
36 | { | ||
37 | + u8 *buf; | ||
38 | int ret; | ||
39 | |||
40 | + buf = kmalloc(size, GFP_NOIO); | ||
41 | + if (!buf) | ||
42 | + return -ENOMEM; | ||
43 | + | ||
44 | ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0), | ||
45 | PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0, | ||
46 | - indx, data, size, 1000); | ||
47 | + indx, buf, size, 1000); | ||
48 | if (ret < 0) | ||
49 | netif_dbg(pegasus, drv, pegasus->net, | ||
50 | "%s returned %d\n", __func__, ret); | ||
51 | + else if (ret <= size) | ||
52 | + memcpy(data, buf, ret); | ||
53 | + kfree(buf); | ||
54 | return ret; | ||
55 | } | ||
56 | |||
57 | -static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) | ||
58 | +static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, | ||
59 | + const void *data) | ||
60 | { | ||
61 | + u8 *buf; | ||
62 | int ret; | ||
63 | |||
64 | + buf = kmemdup(data, size, GFP_NOIO); | ||
65 | + if (!buf) | ||
66 | + return -ENOMEM; | ||
67 | + | ||
68 | ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), | ||
69 | PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0, | ||
70 | - indx, data, size, 100); | ||
71 | + indx, buf, size, 100); | ||
72 | if (ret < 0) | ||
73 | netif_dbg(pegasus, drv, pegasus->net, | ||
74 | "%s returned %d\n", __func__, ret); | ||
75 | + kfree(buf); | ||
76 | return ret; | ||
77 | } | ||
78 | |||
79 | static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data) | ||
80 | { | ||
81 | + u8 *buf; | ||
82 | int ret; | ||
83 | |||
84 | + buf = kmemdup(&data, 1, GFP_NOIO); | ||
85 | + if (!buf) | ||
86 | + return -ENOMEM; | ||
87 | + | ||
88 | ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), | ||
89 | PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data, | ||
90 | - indx, &data, 1, 1000); | ||
91 | + indx, buf, 1, 1000); | ||
92 | if (ret < 0) | ||
93 | netif_dbg(pegasus, drv, pegasus->net, | ||
94 | "%s returned %d\n", __func__, ret); | ||
95 | + kfree(buf); | ||
96 | return ret; | ||
97 | } | ||
98 | |||
99 | -- | ||
100 | 1.9.1 | ||
101 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index b0d7ea5..9115ece 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -21,6 +21,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
21 | file://CVE-2017-8064.patch \ | 21 | file://CVE-2017-8064.patch \ |
22 | file://CVE-2017-8066.patch \ | 22 | file://CVE-2017-8066.patch \ |
23 | file://CVE-2017-8067.patch \ | 23 | file://CVE-2017-8067.patch \ |
24 | file://CVE-2017-8068.patch \ | ||
24 | " | 25 | " |
25 | 26 | ||
26 | LINUX_KERNEL_TYPE = "tiny" | 27 | LINUX_KERNEL_TYPE = "tiny" |