diff options
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch | 138 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 139 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch new file mode 100644 index 0000000..82178b8 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch | |||
@@ -0,0 +1,138 @@ | |||
1 | From cec7abd27e878e3c83dc9af41ee87a2e9d483ac0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ethan Zonca <e@ethanzonca.com> | ||
3 | Date: Fri, 24 Feb 2017 11:27:36 -0500 | ||
4 | Subject: [PATCH] can: gs_usb: Don't use stack memory for USB transfers | ||
5 | |||
6 | commit c919a3069c775c1c876bec55e00b2305d5125caa upstream. | ||
7 | |||
8 | Fixes: 05ca5270005c can: gs_usb: add ethtool set_phys_id callback to locate physical device | ||
9 | |||
10 | The gs_usb driver is performing USB transfers using buffers allocated on | ||
11 | the stack. This causes the driver to not function with vmapped stacks. | ||
12 | Instead, allocate memory for the transfer buffers. | ||
13 | |||
14 | CVE: CVE-2017-8066 | ||
15 | Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=cec7abd27e878e3c83dc9af41ee87a2e9d483ac0] | ||
16 | |||
17 | Signed-off-by: Ethan Zonca <e@ethanzonca.com> | ||
18 | Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> | ||
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
20 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
21 | --- | ||
22 | drivers/net/can/usb/gs_usb.c | 40 +++++++++++++++++++++++++++++----------- | ||
23 | 1 file changed, 29 insertions(+), 11 deletions(-) | ||
24 | |||
25 | diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c | ||
26 | index 77e3cc0..a0dabd4 100644 | ||
27 | --- a/drivers/net/can/usb/gs_usb.c | ||
28 | +++ b/drivers/net/can/usb/gs_usb.c | ||
29 | @@ -908,10 +908,14 @@ static int gs_usb_probe(struct usb_interface *intf, | ||
30 | struct gs_usb *dev; | ||
31 | int rc = -ENOMEM; | ||
32 | unsigned int icount, i; | ||
33 | - struct gs_host_config hconf = { | ||
34 | - .byte_order = 0x0000beef, | ||
35 | - }; | ||
36 | - struct gs_device_config dconf; | ||
37 | + struct gs_host_config *hconf; | ||
38 | + struct gs_device_config *dconf; | ||
39 | + | ||
40 | + hconf = kmalloc(sizeof(*hconf), GFP_KERNEL); | ||
41 | + if (!hconf) | ||
42 | + return -ENOMEM; | ||
43 | + | ||
44 | + hconf->byte_order = 0x0000beef; | ||
45 | |||
46 | /* send host config */ | ||
47 | rc = usb_control_msg(interface_to_usbdev(intf), | ||
48 | @@ -920,16 +924,22 @@ static int gs_usb_probe(struct usb_interface *intf, | ||
49 | USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, | ||
50 | 1, | ||
51 | intf->altsetting[0].desc.bInterfaceNumber, | ||
52 | - &hconf, | ||
53 | - sizeof(hconf), | ||
54 | + hconf, | ||
55 | + sizeof(*hconf), | ||
56 | 1000); | ||
57 | |||
58 | + kfree(hconf); | ||
59 | + | ||
60 | if (rc < 0) { | ||
61 | dev_err(&intf->dev, "Couldn't send data format (err=%d)\n", | ||
62 | rc); | ||
63 | return rc; | ||
64 | } | ||
65 | |||
66 | + dconf = kmalloc(sizeof(*dconf), GFP_KERNEL); | ||
67 | + if (!dconf) | ||
68 | + return -ENOMEM; | ||
69 | + | ||
70 | /* read device config */ | ||
71 | rc = usb_control_msg(interface_to_usbdev(intf), | ||
72 | usb_rcvctrlpipe(interface_to_usbdev(intf), 0), | ||
73 | @@ -937,28 +947,33 @@ static int gs_usb_probe(struct usb_interface *intf, | ||
74 | USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, | ||
75 | 1, | ||
76 | intf->altsetting[0].desc.bInterfaceNumber, | ||
77 | - &dconf, | ||
78 | - sizeof(dconf), | ||
79 | + dconf, | ||
80 | + sizeof(*dconf), | ||
81 | 1000); | ||
82 | if (rc < 0) { | ||
83 | dev_err(&intf->dev, "Couldn't get device config: (err=%d)\n", | ||
84 | rc); | ||
85 | + kfree(dconf); | ||
86 | return rc; | ||
87 | } | ||
88 | |||
89 | - icount = dconf.icount + 1; | ||
90 | + icount = dconf->icount + 1; | ||
91 | dev_info(&intf->dev, "Configuring for %d interfaces\n", icount); | ||
92 | |||
93 | if (icount > GS_MAX_INTF) { | ||
94 | dev_err(&intf->dev, | ||
95 | "Driver cannot handle more that %d CAN interfaces\n", | ||
96 | GS_MAX_INTF); | ||
97 | + kfree(dconf); | ||
98 | return -EINVAL; | ||
99 | } | ||
100 | |||
101 | dev = kzalloc(sizeof(*dev), GFP_KERNEL); | ||
102 | - if (!dev) | ||
103 | + if (!dev) { | ||
104 | + kfree(dconf); | ||
105 | return -ENOMEM; | ||
106 | + } | ||
107 | + | ||
108 | init_usb_anchor(&dev->rx_submitted); | ||
109 | |||
110 | atomic_set(&dev->active_channels, 0); | ||
111 | @@ -967,7 +982,7 @@ static int gs_usb_probe(struct usb_interface *intf, | ||
112 | dev->udev = interface_to_usbdev(intf); | ||
113 | |||
114 | for (i = 0; i < icount; i++) { | ||
115 | - dev->canch[i] = gs_make_candev(i, intf, &dconf); | ||
116 | + dev->canch[i] = gs_make_candev(i, intf, dconf); | ||
117 | if (IS_ERR_OR_NULL(dev->canch[i])) { | ||
118 | /* save error code to return later */ | ||
119 | rc = PTR_ERR(dev->canch[i]); | ||
120 | @@ -978,12 +993,15 @@ static int gs_usb_probe(struct usb_interface *intf, | ||
121 | gs_destroy_candev(dev->canch[i]); | ||
122 | |||
123 | usb_kill_anchored_urbs(&dev->rx_submitted); | ||
124 | + kfree(dconf); | ||
125 | kfree(dev); | ||
126 | return rc; | ||
127 | } | ||
128 | dev->canch[i]->parent = dev; | ||
129 | } | ||
130 | |||
131 | + kfree(dconf); | ||
132 | + | ||
133 | return 0; | ||
134 | } | ||
135 | |||
136 | -- | ||
137 | 1.9.1 | ||
138 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 8beb962..d8c3adb 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
19 | file://CVE-2017-1000364.patch \ | 19 | file://CVE-2017-1000364.patch \ |
20 | file://CVE-2017-8063.patch \ | 20 | file://CVE-2017-8063.patch \ |
21 | file://CVE-2017-8064.patch \ | 21 | file://CVE-2017-8064.patch \ |
22 | file://CVE-2017-8066.patch \ | ||
22 | " | 23 | " |
23 | 24 | ||
24 | LINUX_KERNEL_TYPE = "tiny" | 25 | LINUX_KERNEL_TYPE = "tiny" |