From dbbe5f06c9db311b72e891437024aad064714813 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Fri, 22 Sep 2017 11:17:36 +0200
Subject: linux-cavium: CVE-2017-8066

gs_usb.c interacts incorrectly with the CONFIG_VMAP_STACK option

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
---
 .../linux/linux-cavium/CVE-2017-8066.patch         | 138 +++++++++++++++++++++
 recipes-kernel/linux/linux-cavium_4.9.inc          |   1 +
 2 files changed, 139 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch
new file mode 100644
index 0000000..82178b8
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8066.patch
@@ -0,0 +1,138 @@
+From cec7abd27e878e3c83dc9af41ee87a2e9d483ac0 Mon Sep 17 00:00:00 2001
+From: Ethan Zonca <e@ethanzonca.com>
+Date: Fri, 24 Feb 2017 11:27:36 -0500
+Subject: [PATCH] can: gs_usb: Don't use stack memory for USB transfers
+
+commit c919a3069c775c1c876bec55e00b2305d5125caa upstream.
+
+Fixes: 05ca5270005c can: gs_usb: add ethtool set_phys_id callback to locate physical device
+
+The gs_usb driver is performing USB transfers using buffers allocated on
+the stack. This causes the driver to not function with vmapped stacks.
+Instead, allocate memory for the transfer buffers.
+
+CVE: CVE-2017-8066
+Upstream-Status: Backport [backport from: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.51&id=cec7abd27e878e3c83dc9af41ee87a2e9d483ac0]
+
+Signed-off-by: Ethan Zonca <e@ethanzonca.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/can/usb/gs_usb.c | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index 77e3cc0..a0dabd4 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -908,10 +908,14 @@ static int gs_usb_probe(struct usb_interface *intf,
+ 	struct gs_usb *dev;
+ 	int rc = -ENOMEM;
+ 	unsigned int icount, i;
+-	struct gs_host_config hconf = {
+-		.byte_order = 0x0000beef,
+-	};
+-	struct gs_device_config dconf;
++	struct gs_host_config *hconf;
++	struct gs_device_config *dconf;
++
++	hconf = kmalloc(sizeof(*hconf), GFP_KERNEL);
++	if (!hconf)
++		return -ENOMEM;
++
++	hconf->byte_order = 0x0000beef;
+ 
+ 	/* send host config */
+ 	rc = usb_control_msg(interface_to_usbdev(intf),
+@@ -920,16 +924,22 @@ static int gs_usb_probe(struct usb_interface *intf,
+ 			     USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+ 			     1,
+ 			     intf->altsetting[0].desc.bInterfaceNumber,
+-			     &hconf,
+-			     sizeof(hconf),
++			     hconf,
++			     sizeof(*hconf),
+ 			     1000);
+ 
++	kfree(hconf);
++
+ 	if (rc < 0) {
+ 		dev_err(&intf->dev, "Couldn't send data format (err=%d)\n",
+ 			rc);
+ 		return rc;
+ 	}
+ 
++	dconf = kmalloc(sizeof(*dconf), GFP_KERNEL);
++	if (!dconf)
++		return -ENOMEM;
++
+ 	/* read device config */
+ 	rc = usb_control_msg(interface_to_usbdev(intf),
+ 			     usb_rcvctrlpipe(interface_to_usbdev(intf), 0),
+@@ -937,28 +947,33 @@ static int gs_usb_probe(struct usb_interface *intf,
+ 			     USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+ 			     1,
+ 			     intf->altsetting[0].desc.bInterfaceNumber,
+-			     &dconf,
+-			     sizeof(dconf),
++			     dconf,
++			     sizeof(*dconf),
+ 			     1000);
+ 	if (rc < 0) {
+ 		dev_err(&intf->dev, "Couldn't get device config: (err=%d)\n",
+ 			rc);
++		kfree(dconf);
+ 		return rc;
+ 	}
+ 
+-	icount = dconf.icount + 1;
++	icount = dconf->icount + 1;
+ 	dev_info(&intf->dev, "Configuring for %d interfaces\n", icount);
+ 
+ 	if (icount > GS_MAX_INTF) {
+ 		dev_err(&intf->dev,
+ 			"Driver cannot handle more that %d CAN interfaces\n",
+ 			GS_MAX_INTF);
++		kfree(dconf);
+ 		return -EINVAL;
+ 	}
+ 
+ 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+-	if (!dev)
++	if (!dev) {
++		kfree(dconf);
+ 		return -ENOMEM;
++	}
++
+ 	init_usb_anchor(&dev->rx_submitted);
+ 
+ 	atomic_set(&dev->active_channels, 0);
+@@ -967,7 +982,7 @@ static int gs_usb_probe(struct usb_interface *intf,
+ 	dev->udev = interface_to_usbdev(intf);
+ 
+ 	for (i = 0; i < icount; i++) {
+-		dev->canch[i] = gs_make_candev(i, intf, &dconf);
++		dev->canch[i] = gs_make_candev(i, intf, dconf);
+ 		if (IS_ERR_OR_NULL(dev->canch[i])) {
+ 			/* save error code to return later */
+ 			rc = PTR_ERR(dev->canch[i]);
+@@ -978,12 +993,15 @@ static int gs_usb_probe(struct usb_interface *intf,
+ 				gs_destroy_candev(dev->canch[i]);
+ 
+ 			usb_kill_anchored_urbs(&dev->rx_submitted);
++			kfree(dconf);
+ 			kfree(dev);
+ 			return rc;
+ 		}
+ 		dev->canch[i]->parent = dev;
+ 	}
+ 
++	kfree(dconf);
++
+ 	return 0;
+ }
+ 
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 8beb962..d8c3adb 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://CVE-2017-1000364.patch \
            file://CVE-2017-8063.patch \
            file://CVE-2017-8064.patch \
+           file://CVE-2017-8066.patch \
            "
 
 LINUX_KERNEL_TYPE = "tiny"
-- 
cgit v1.2.3-54-g00ecf