From 297af9adc87ab690e2531e10d84b62d72a4bd728 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 22 Sep 2017 11:17:35 +0200 Subject: linux-cavium: CVE-2017-8064 dvb_usb_core.c interacts incorrectly with the CONFIG_VMAP_STACK option Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064 Signed-off-by: Sona Sarmadi Signed-off-by: Martin Borg --- .../linux/linux-cavium/CVE-2017-8064.patch | 65 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 66 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch new file mode 100644 index 0000000..05cf7a4 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8064.patch @@ -0,0 +1,65 @@ +From 1992564156b5dc4ac73418e5b95e1a43f12f3cb1 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 2 Feb 2017 12:36:01 -0200 +Subject: [PATCH] dvb-usb-v2: avoid use-after-free + +commit 005145378c9ad7575a01b6ce1ba118fb427f583a upstream. + +I ran into a stack frame size warning because of the on-stack copy of +the USB device structure: + +drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect': +drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + +Copying a device structure like this is wrong for a number of other reasons +too aside from the possible stack overflow. One of them is that the +dev_info() call will print the name of the device later, but AFAICT +we have only copied a pointer to the name earlier and the actual name +has been freed by the time it gets printed. + +This removes the on-stack copy of the device and instead copies the +device name using kstrdup(). I'm ignoring the possible failure here +as both printk() and kfree() are able to deal with NULL pointers. + +CVE: CVE-2017-8064 +Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=1992564156b5dc4ac73418e5b95e1a43f12f3cb1] + +Signed-off-by: Arnd Bergmann +Signed-off-by: Mauro Carvalho Chehab +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c +index a8e6624..a9bb2dd 100644 +--- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c ++++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c +@@ -1013,8 +1013,8 @@ int dvb_usbv2_probe(struct usb_interface *intf, + void dvb_usbv2_disconnect(struct usb_interface *intf) + { + struct dvb_usb_device *d = usb_get_intfdata(intf); +- const char *name = d->name; +- struct device dev = d->udev->dev; ++ const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL); ++ const char *drvname = d->name; + + dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__, + intf->cur_altsetting->desc.bInterfaceNumber); +@@ -1024,8 +1024,9 @@ void dvb_usbv2_disconnect(struct usb_interface *intf) + + dvb_usbv2_exit(d); + +- dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n", +- KBUILD_MODNAME, name); ++ pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n", ++ KBUILD_MODNAME, drvname, devname); ++ kfree(devname); + } + EXPORT_SYMBOL(dvb_usbv2_disconnect); + +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index c11772a..8beb962 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -18,6 +18,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://CVE-2017-7487.patch \ file://CVE-2017-1000364.patch \ file://CVE-2017-8063.patch \ + file://CVE-2017-8064.patch \ " LINUX_KERNEL_TYPE = "tiny" -- cgit v1.2.3-54-g00ecf