From 5484a6476e1dad17e22357c3bb84bfdaaf7cea3e Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 29 Sep 2017 15:05:15 +0200 Subject: linux-cavium: CVE-2017-8831 Double fetch vulnerability in saa7164_bus_get function Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8831 Signed-off-by: Sona Sarmadi Signed-off-by: Martin Borg --- .../linux/linux-cavium/CVE-2017-8831.patch | 75 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 76 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch new file mode 100644 index 0000000..cfa533a --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-8831.patch @@ -0,0 +1,75 @@ +From 354dd3924a2e43806774953de536257548b5002c Mon Sep 17 00:00:00 2001 +From: Steven Toth +Date: Tue, 6 Jun 2017 08:30:27 -0400 +Subject: [PATCH] [PATCH] saa7164: Bug - Double fetch PCIe access condition + +Avoid a double fetch by reusing the values from the prior transfer. + +Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559 + +Thanks to Pengfei Wang for reporting. + +CVE: CVE-2017-8831 +Upstream-Status: Backport [backport from ... + +Signed-off-by: Steven Toth +Signed-off-by: Sona Sarmadi +--- + drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c +index b2ff82fa7116..ecfeac5cdbed 100644 +--- a/drivers/media/pci/saa7164/saa7164-bus.c ++++ b/drivers/media/pci/saa7164/saa7164-bus.c +@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, + msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size); + msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command); + msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector); ++ memcpy(msg, &msg_tmp, sizeof(*msg)); + + /* No need to update the read positions, because this was a peek */ + /* If the caller specifically want to peek, return */ + if (peekonly) { +- memcpy(msg, &msg_tmp, sizeof(*msg)); + goto peekout; + } + +@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, + space_rem = bus->m_dwSizeGetRing - curr_grp; + + if (space_rem < sizeof(*msg)) { +- /* msg wraps around the ring */ +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem); +- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing, +- sizeof(*msg) - space_rem); + if (buf) + memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) - + space_rem, buf_size); + + } else if (space_rem == sizeof(*msg)) { +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); + if (buf) + memcpy_fromio(buf, bus->m_pdwGetRing, buf_size); + } else { + /* Additional data wraps around the ring */ +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); + if (buf) { + memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + + sizeof(*msg), space_rem - sizeof(*msg)); +@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, + + } else { + /* No wrapping */ +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); + if (buf) + memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg), + buf_size); + } +- /* Convert from little endian to CPU */ +- msg->size = le16_to_cpu((__force __le16)msg->size); +- msg->command = le32_to_cpu((__force __le32)msg->command); +- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector); + + /* Update the read positions, adjusting the ring */ + saa7164_writel(bus->m_dwGetReadPos, new_grp); diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 6e79f44..0089d62 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -36,6 +36,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://CVE-2017-8067.patch \ file://CVE-2017-8068.patch \ file://CVE-2017-8069.patch \ + file://CVE-2017-8831.patch \ file://CVE-2017-1000364.patch \ " -- cgit v1.2.3-54-g00ecf