ARM: amba: CVE-2018-9415

ARM: amba: Fix race condition with driver_override References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=272c99cf85a371401b78f3c56a18745bf07817a3 Change-Id: I9367a1d020bc4641f136a91d2ff29442221ee9e8 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-12 10:48:58 +0200
committer: Adrian Dudau <Adrian.Dudau@enea.com> 2018-10-16 17:37:22 +0200
commit: 9d7d5feacd408f22ec91afc9e88016a5ece31d32 (patch)
tree: 26e3c0ae6ce150094d267d1618bb58c15e503213
parent: c9e50e25d48690db96a3ea529feb03ed2f786450 (diff)
download: enea-kernel-cache-9d7d5feacd408f22ec91afc9e88016a5ece31d32.tar.gz
2 files changed, 78 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index c97927f..9950d18 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -18,3 +18,4 @@ patch CVE-2018-1108-random-fix-crng_ready-test.patch
 #CVEs fixed in 4.9.98:
 patch CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch
+patch CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch
diff --git a/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch
new file mode 100644
index 0000000..363fb7b
--- /dev/null
+++ b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch
@@ -0,0 +1,77 @@
+Date: Fri, 12 Oct 2018 10:25:59 +0200
+Subject: [PATCH] ARM: amba: Fix race condition with driver_override commit
+ 6a7228d90d42bcacfe38786756ba62762b91c20a upstream.
+The driver_override implementation is susceptible to a race condition
+when different threads are reading vs storing a different driver
+override.  Add locking to avoid this race condition.
+Cfr. commits 6265539776a0810b ("driver core: platform: fix race
+condition with driver_override") and 9561475db680f714 ("PCI: Fix race
+condition with driver_override").
+Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'")
+CVE: CVE-2018-9415
+Upstream-Status: Backport
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/amba/bus.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
+index a56fa2a..b112448 100644
+--- a/drivers/amba/bus.c
+++ b/drivers/amba/bus.c
+@@ -69,11 +69,15 @@ static ssize_t driver_override_show(struct device *_dev,
+                                    struct device_attribute *attr, char *buf)
+ {
+        struct amba_device *dev = to_amba_device(_dev);
+-
+       ssize_t len;
+ 
+        if (!dev->driver_override)
+                return 0;
+ 
+-       return sprintf(buf, "%s\n", dev->driver_override);
+       device_lock(_dev);
+       len = sprintf(buf, "%s\n", dev->driver_override);
+       device_unlock(_dev);
+       return len;
+ }
+ 
+ static ssize_t driver_override_store(struct device *_dev,
+@@ -81,7 +85,7 @@ static ssize_t driver_override_store(struct device *_dev,
+                                     const char *buf, size_t count)
+ {
+        struct amba_device *dev = to_amba_device(_dev);
+-       char *driver_override, *old = dev->driver_override, *cp;
+       char *driver_override, *old, *cp;
+ 
+        if (count > PATH_MAX)
+                return -EINVAL;
+@@ -94,12 +98,15 @@ static ssize_t driver_override_store(struct device *_dev,
+        if (cp)
+                *cp = '\0';
+ 
+       device_lock(_dev);
+       old = dev->driver_override;
+        if (strlen(driver_override)) {
+                dev->driver_override = driver_override;
+        } else {
+               kfree(driver_override);
+               dev->driver_override = NULL;
+        }
+       device_unlock(_dev);
+ 
+        kfree(old);
+ 
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-12 10:48:58 +0200
committer	Adrian Dudau <Adrian.Dudau@enea.com>	2018-10-16 17:37:22 +0200
commit	9d7d5feacd408f22ec91afc9e88016a5ece31d32 (patch)
tree	26e3c0ae6ce150094d267d1618bb58c15e503213
parent	c9e50e25d48690db96a3ea529feb03ed2f786450 (diff)
download	enea-kernel-cache-9d7d5feacd408f22ec91afc9e88016a5ece31d32.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index c97927f..9950d18 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -18,3 +18,4 @@ patch CVE-2018-1108-random-fix-crng_ready-test.patch
18		18
19	#CVEs fixed in 4.9.98:	19	#CVEs fixed in 4.9.98:
20	patch CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch	20	patch CVE-2018-1093-ext4-add-validity-checks-for-bitmap-block-numbers.patch
		21	patch CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch


diff --git a/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch new file mode 100644 index 0000000..363fb7b --- /dev/null +++ b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch
@@ -0,0 +1,77 @@
		1	Date: Fri, 12 Oct 2018 10:25:59 +0200
		2	Subject: [PATCH] ARM: amba: Fix race condition with driver_override commit
		3	6a7228d90d42bcacfe38786756ba62762b91c20a upstream.
		4
		5	The driver_override implementation is susceptible to a race condition
		6	when different threads are reading vs storing a different driver
		7	override. Add locking to avoid this race condition.
		8
		9	Cfr. commits 6265539776a0810b ("driver core: platform: fix race
		10	condition with driver_override") and 9561475db680f714 ("PCI: Fix race
		11	condition with driver_override").
		12
		13	Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'")
		14
		15	CVE: CVE-2018-9415
		16	Upstream-Status: Backport
		17
		18	Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
		19	Reviewed-by: Todd Kjos <tkjos@google.com>
		20	Cc: stable <stable@vger.kernel.org>
		21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		23	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		24	---
		25	drivers/amba/bus.c \| 13 ++++++++++---
		26	1 file changed, 10 insertions(+), 3 deletions(-)
		27
		28	diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
		29	index a56fa2a..b112448 100644
		30	--- a/drivers/amba/bus.c
		31	+++ b/drivers/amba/bus.c
		32	@@ -69,11 +69,15 @@ static ssize_t driver_override_show(struct device *_dev,
		33	struct device_attribute attr, char buf)
		34	{
		35	struct amba_device *dev = to_amba_device(_dev);
		36	-
		37	+ ssize_t len;
		38	+
		39	if (!dev->driver_override)
		40	return 0;
		41
		42	- return sprintf(buf, "%s\n", dev->driver_override);
		43	+ device_lock(_dev);
		44	+ len = sprintf(buf, "%s\n", dev->driver_override);
		45	+ device_unlock(_dev);
		46	+ return len;
		47	}
		48
		49	static ssize_t driver_override_store(struct device *_dev,
		50	@@ -81,7 +85,7 @@ static ssize_t driver_override_store(struct device *_dev,
		51	const char *buf, size_t count)
		52	{
		53	struct amba_device *dev = to_amba_device(_dev);
		54	- char driver_override, old = dev->driver_override, *cp;
		55	+ char driver_override, old, *cp;
		56
		57	if (count > PATH_MAX)
		58	return -EINVAL;
		59	@@ -94,12 +98,15 @@ static ssize_t driver_override_store(struct device *_dev,
		60	if (cp)
		61	*cp = '\0';
		62
		63	+ device_lock(_dev);
		64	+ old = dev->driver_override;
		65	if (strlen(driver_override)) {
		66	dev->driver_override = driver_override;
		67	} else {
		68	kfree(driver_override);
		69	dev->driver_override = NULL;
		70	}
		71	+ device_unlock(_dev);
		72
		73	kfree(old);
		74
		75	--
		76
		77