From 7529dbc5f89205edfdcd5efcc4c431f9a39566e0 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Fri, 22 Sep 2017 11:17:38 +0200
Subject: linux-cavium: CVE-2017-8068

pegasus.c interacts incorrectly with the CONFIG_VMAP_STACK option

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
---
 .../linux/linux-cavium/CVE-2017-8068.patch         | 101 +++++++++++++++++++++
 recipes-kernel/linux/linux-cavium_4.9.inc          |   1 +
 2 files changed, 102 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch
new file mode 100644
index 0000000..3529b21
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8068.patch
@@ -0,0 +1,101 @@
+From 878b015bcc726560b13be2d906caf6923428f05d Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 4 Feb 2017 16:56:03 +0000
+Subject: [PATCH] pegasus: Use heap buffers for all register access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 5593523f968bc86d42a035c6df47d5e0979b5ace ]
+
+Allocating USB buffers on the stack is not portable, and no longer
+works on x86_64 (with VMAP_STACK enabled as per default).
+
+CVE: CVE-2017-8068
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=878b015bcc726560b13be2d906caf6923428f05d]
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+References: https://bugs.debian.org/852556
+Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
+Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/usb/pegasus.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
+index 1434e5d..ee40ac2 100644
+--- a/drivers/net/usb/pegasus.c
++++ b/drivers/net/usb/pegasus.c
+@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
+ 
+ static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
+ {
++	u8 *buf;
+ 	int ret;
+ 
++	buf = kmalloc(size, GFP_NOIO);
++	if (!buf)
++		return -ENOMEM;
++
+ 	ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
+ 			      PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
+-			      indx, data, size, 1000);
++			      indx, buf, size, 1000);
+ 	if (ret < 0)
+ 		netif_dbg(pegasus, drv, pegasus->net,
+ 			  "%s returned %d\n", __func__, ret);
++	else if (ret <= size)
++		memcpy(data, buf, ret);
++	kfree(buf);
+ 	return ret;
+ }
+ 
+-static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
++static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
++			 const void *data)
+ {
++	u8 *buf;
+ 	int ret;
+ 
++	buf = kmemdup(data, size, GFP_NOIO);
++	if (!buf)
++		return -ENOMEM;
++
+ 	ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
+ 			      PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
+-			      indx, data, size, 100);
++			      indx, buf, size, 100);
+ 	if (ret < 0)
+ 		netif_dbg(pegasus, drv, pegasus->net,
+ 			  "%s returned %d\n", __func__, ret);
++	kfree(buf);
+ 	return ret;
+ }
+ 
+ static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
+ {
++	u8 *buf;
+ 	int ret;
+ 
++	buf = kmemdup(&data, 1, GFP_NOIO);
++	if (!buf)
++		return -ENOMEM;
++
+ 	ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
+ 			      PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
+-			      indx, &data, 1, 1000);
++			      indx, buf, 1, 1000);
+ 	if (ret < 0)
+ 		netif_dbg(pegasus, drv, pegasus->net,
+ 			  "%s returned %d\n", __func__, ret);
++	kfree(buf);
+ 	return ret;
+ }
+ 
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index b0d7ea5..9115ece 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -21,6 +21,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://CVE-2017-8064.patch \
            file://CVE-2017-8066.patch \
            file://CVE-2017-8067.patch \
+           file://CVE-2017-8068.patch \
            "
 
 LINUX_KERNEL_TYPE = "tiny"
-- 
cgit v1.2.3-54-g00ecf