diff options
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch | 65 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 66 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch new file mode 100644 index 0000000..05cf7a4 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 1992564156b5dc4ac73418e5b95e1a43f12f3cb1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Arnd Bergmann <arnd@arndb.de> | ||
3 | Date: Thu, 2 Feb 2017 12:36:01 -0200 | ||
4 | Subject: [PATCH] dvb-usb-v2: avoid use-after-free | ||
5 | |||
6 | commit 005145378c9ad7575a01b6ce1ba118fb427f583a upstream. | ||
7 | |||
8 | I ran into a stack frame size warning because of the on-stack copy of | ||
9 | the USB device structure: | ||
10 | |||
11 | drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect': | ||
12 | drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] | ||
13 | |||
14 | Copying a device structure like this is wrong for a number of other reasons | ||
15 | too aside from the possible stack overflow. One of them is that the | ||
16 | dev_info() call will print the name of the device later, but AFAICT | ||
17 | we have only copied a pointer to the name earlier and the actual name | ||
18 | has been freed by the time it gets printed. | ||
19 | |||
20 | This removes the on-stack copy of the device and instead copies the | ||
21 | device name using kstrdup(). I'm ignoring the possible failure here | ||
22 | as both printk() and kfree() are able to deal with NULL pointers. | ||
23 | |||
24 | CVE: CVE-2017-8064 | ||
25 | Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=1992564156b5dc4ac73418e5b95e1a43f12f3cb1] | ||
26 | |||
27 | Signed-off-by: Arnd Bergmann <arnd@arndb.de> | ||
28 | Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> | ||
29 | Cc: Ben Hutchings <ben@decadent.org.uk> | ||
30 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
31 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
32 | --- | ||
33 | drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +++++---- | ||
34 | 1 file changed, 5 insertions(+), 4 deletions(-) | ||
35 | |||
36 | diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | ||
37 | index a8e6624..a9bb2dd 100644 | ||
38 | --- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | ||
39 | +++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | ||
40 | @@ -1013,8 +1013,8 @@ int dvb_usbv2_probe(struct usb_interface *intf, | ||
41 | void dvb_usbv2_disconnect(struct usb_interface *intf) | ||
42 | { | ||
43 | struct dvb_usb_device *d = usb_get_intfdata(intf); | ||
44 | - const char *name = d->name; | ||
45 | - struct device dev = d->udev->dev; | ||
46 | + const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL); | ||
47 | + const char *drvname = d->name; | ||
48 | |||
49 | dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__, | ||
50 | intf->cur_altsetting->desc.bInterfaceNumber); | ||
51 | @@ -1024,8 +1024,9 @@ void dvb_usbv2_disconnect(struct usb_interface *intf) | ||
52 | |||
53 | dvb_usbv2_exit(d); | ||
54 | |||
55 | - dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n", | ||
56 | - KBUILD_MODNAME, name); | ||
57 | + pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n", | ||
58 | + KBUILD_MODNAME, drvname, devname); | ||
59 | + kfree(devname); | ||
60 | } | ||
61 | EXPORT_SYMBOL(dvb_usbv2_disconnect); | ||
62 | |||
63 | -- | ||
64 | 1.9.1 | ||
65 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index c11772a..8beb962 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -18,6 +18,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
18 | file://CVE-2017-7487.patch \ | 18 | file://CVE-2017-7487.patch \ |
19 | file://CVE-2017-1000364.patch \ | 19 | file://CVE-2017-1000364.patch \ |
20 | file://CVE-2017-8063.patch \ | 20 | file://CVE-2017-8063.patch \ |
21 | file://CVE-2017-8064.patch \ | ||
21 | " | 22 | " |
22 | 23 | ||
23 | LINUX_KERNEL_TYPE = "tiny" | 24 | LINUX_KERNEL_TYPE = "tiny" |