ieee802154: atusb: do not use the stack for buffers to make them DMA able (CVE-2017-5548)
This commit is contained in:
parent
c74f7d65fe
commit
3c00650618
|
@ -353,6 +353,8 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
|
|||
[ Salvatore Bonaccorso ]
|
||||
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
||||
* HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
|
||||
* ieee802154: atusb: do not use the stack for buffers to make them DMA able
|
||||
(CVE-2017-5548)
|
||||
|
||||
[ Roger Shimizu ]
|
||||
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
|
||||
|
|
99
debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
vendored
Normal file
99
debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
vendored
Normal file
|
@ -0,0 +1,99 @@
|
|||
From: Stefan Schmidt <stefan@osg.samsung.com>
|
||||
Date: Thu, 15 Dec 2016 18:40:14 +0100
|
||||
Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA
|
||||
able
|
||||
Origin: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655
|
||||
|
||||
From 4.9 we should really avoid using the stack here as this will not be DMA
|
||||
able on various platforms. This changes the buffers already being present in
|
||||
time of 4.9 being released. This should go into stable as well.
|
||||
|
||||
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
|
||||
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
||||
---
|
||||
drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++----
|
||||
1 file changed, 27 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
|
||||
index 1253f86..fa3e8c3 100644
|
||||
--- a/drivers/net/ieee802154/atusb.c
|
||||
+++ b/drivers/net/ieee802154/atusb.c
|
||||
@@ -117,13 +117,26 @@ static int atusb_read_reg(struct atusb *atusb, uint8_t reg)
|
||||
{
|
||||
struct usb_device *usb_dev = atusb->usb_dev;
|
||||
int ret;
|
||||
+ uint8_t *buffer;
|
||||
uint8_t value;
|
||||
|
||||
+ buffer = kmalloc(1, GFP_KERNEL);
|
||||
+ if (!buffer)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
|
||||
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||
ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
|
||||
- 0, reg, &value, 1, 1000);
|
||||
- return ret >= 0 ? value : ret;
|
||||
+ 0, reg, buffer, 1, 1000);
|
||||
+
|
||||
+ if (ret >= 0) {
|
||||
+ value = buffer[0];
|
||||
+ kfree(buffer);
|
||||
+ return value;
|
||||
+ } else {
|
||||
+ kfree(buffer);
|
||||
+ return ret;
|
||||
+ }
|
||||
}
|
||||
|
||||
static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
|
||||
@@ -608,9 +621,13 @@ static const struct ieee802154_ops atusb_ops = {
|
||||
static int atusb_get_and_show_revision(struct atusb *atusb)
|
||||
{
|
||||
struct usb_device *usb_dev = atusb->usb_dev;
|
||||
- unsigned char buffer[3];
|
||||
+ unsigned char *buffer;
|
||||
int ret;
|
||||
|
||||
+ buffer = kmalloc(3, GFP_KERNEL);
|
||||
+ if (!buffer)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
/* Get a couple of the ATMega Firmware values */
|
||||
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||
ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
|
||||
@@ -631,15 +648,20 @@ static int atusb_get_and_show_revision(struct atusb *atusb)
|
||||
dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
|
||||
}
|
||||
|
||||
+ kfree(buffer);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int atusb_get_and_show_build(struct atusb *atusb)
|
||||
{
|
||||
struct usb_device *usb_dev = atusb->usb_dev;
|
||||
- char build[ATUSB_BUILD_SIZE + 1];
|
||||
+ char *build;
|
||||
int ret;
|
||||
|
||||
+ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
|
||||
+ if (!build)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||
ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
|
||||
build, ATUSB_BUILD_SIZE, 1000);
|
||||
@@ -648,6 +670,7 @@ static int atusb_get_and_show_build(struct atusb *atusb)
|
||||
dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
|
||||
}
|
||||
|
||||
+ kfree(build);
|
||||
return ret;
|
||||
}
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -98,6 +98,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
|
||||
bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
|
||||
bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue