diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-21 16:06:15 +0200 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-21 17:33:14 +0200 |
| commit | 197bf9e8fc6b61145890c70edc0769ef38992b44 (patch) | |
| tree | b9bcd9ed4abb63a5d03342b6eddd21ec0c0cfa8e | |
| parent | 8fe9a92a93b62e5bf943555503d93ab353d1f7a3 (diff) | |
| download | enea-kernel-cache-197bf9e8fc6b61145890c70edc0769ef38992b44.tar.gz | |
media: CVE-2017-16538
media: dvb-usb-v2: lmedm04: Improve logic checking of warm
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-16538
[https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=fd31a38d268f50afe9c5cd3d4beafa020ad39e90
Change-Id: I6d58abb0b13bd5b760f8c5b61e2bff42acf45a0e
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/CVE-2017-16538-media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16538-media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch b/patches/cve/CVE-2017-16538-media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch new file mode 100644 index 0000000..0366cca --- /dev/null +++ b/patches/cve/CVE-2017-16538-media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch | |||
| @@ -0,0 +1,95 @@ | |||
| 1 | From fd31a38d268f50afe9c5cd3d4beafa020ad39e90 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Malcolm Priestley <tvboxspy@gmail.com> | ||
| 3 | Date: Tue, 26 Sep 2017 17:10:20 -0400 | ||
| 4 | Subject: [PATCH] media: dvb-usb-v2: lmedm04: Improve logic checking of warm | ||
| 5 | start | ||
| 6 | |||
| 7 | commit 3d932ee27e852e4904647f15b64dedca51187ad7 upstream. | ||
| 8 | |||
| 9 | Warm start has no check as whether a genuine device has | ||
| 10 | connected and proceeds to next execution path. | ||
| 11 | |||
| 12 | Check device should read 0x47 at offset of 2 on USB descriptor read | ||
| 13 | and it is the amount requested of 6 bytes. | ||
| 14 | |||
| 15 | Fix for | ||
| 16 | kasan: CONFIG_KASAN_INLINE enabled | ||
| 17 | kasan: GPF could be caused by NULL-ptr deref or user memory access as | ||
| 18 | |||
| 19 | CVE: CVE-2017-16538 | ||
| 20 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=fd31a38d268f50afe9c5cd3d4beafa020ad39e90] | ||
| 21 | |||
| 22 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | ||
| 23 | Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com> | ||
| 24 | Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> | ||
| 25 | Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> | ||
| 26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 27 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 28 | --- | ||
| 29 | drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++-------- | ||
| 30 | 1 file changed, 18 insertions(+), 8 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c | ||
| 33 | index 5e320fa4a795..992f2011a6ba 100644 | ||
| 34 | --- a/drivers/media/usb/dvb-usb-v2/lmedm04.c | ||
| 35 | +++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c | ||
| 36 | @@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid, | ||
| 37 | |||
| 38 | static int lme2510_return_status(struct dvb_usb_device *d) | ||
| 39 | { | ||
| 40 | - int ret = 0; | ||
| 41 | + int ret; | ||
| 42 | u8 *data; | ||
| 43 | |||
| 44 | - data = kzalloc(10, GFP_KERNEL); | ||
| 45 | + data = kzalloc(6, GFP_KERNEL); | ||
| 46 | if (!data) | ||
| 47 | return -ENOMEM; | ||
| 48 | |||
| 49 | - ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), | ||
| 50 | - 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200); | ||
| 51 | - info("Firmware Status: %x (%x)", ret , data[2]); | ||
| 52 | + ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), | ||
| 53 | + 0x06, 0x80, 0x0302, 0x00, | ||
| 54 | + data, 0x6, 200); | ||
| 55 | + if (ret != 6) | ||
| 56 | + ret = -EINVAL; | ||
| 57 | + else | ||
| 58 | + ret = data[2]; | ||
| 59 | + | ||
| 60 | + info("Firmware Status: %6ph", data); | ||
| 61 | |||
| 62 | - ret = (ret < 0) ? -ENODEV : data[2]; | ||
| 63 | kfree(data); | ||
| 64 | return ret; | ||
| 65 | } | ||
| 66 | @@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d) | ||
| 67 | static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) | ||
| 68 | { | ||
| 69 | struct lme2510_state *st = d->priv; | ||
| 70 | + int status; | ||
| 71 | |||
| 72 | usb_reset_configuration(d->udev); | ||
| 73 | |||
| 74 | @@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) | ||
| 75 | |||
| 76 | st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware; | ||
| 77 | |||
| 78 | - if (lme2510_return_status(d) == 0x44) { | ||
| 79 | + status = lme2510_return_status(d); | ||
| 80 | + if (status == 0x44) { | ||
| 81 | *name = lme_firmware_switch(d, 0); | ||
| 82 | return COLD; | ||
| 83 | } | ||
| 84 | |||
| 85 | - return 0; | ||
| 86 | + if (status != 0x47) | ||
| 87 | + return -EINVAL; | ||
| 88 | + | ||
| 89 | + return WARM; | ||
| 90 | } | ||
| 91 | |||
| 92 | static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type, | ||
| 93 | -- | ||
| 94 | 2.20.1 | ||
| 95 | |||