diff --git a/debian/changelog b/debian/changelog index 4d07bb11d..8c2d3b2ca 100644 --- a/debian/changelog +++ b/debian/changelog @@ -353,6 +353,8 @@ linux (4.9.5-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) * HID: corsair: fix DMA buffers on stack (CVE-2017-5547) + * ieee802154: atusb: do not use the stack for buffers to make them DMA able + (CVE-2017-5548) [ Roger Shimizu ] * [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL) diff --git a/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch b/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch new file mode 100644 index 000000000..7fe5415c6 --- /dev/null +++ b/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch @@ -0,0 +1,99 @@ +From: Stefan Schmidt +Date: Thu, 15 Dec 2016 18:40:14 +0100 +Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA + able +Origin: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 + +From 4.9 we should really avoid using the stack here as this will not be DMA +able on various platforms. This changes the buffers already being present in +time of 4.9 being released. This should go into stable as well. + +Reported-by: Dan Carpenter +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Schmidt +Signed-off-by: Marcel Holtmann +--- + drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c +index 1253f86..fa3e8c3 100644 +--- a/drivers/net/ieee802154/atusb.c ++++ b/drivers/net/ieee802154/atusb.c +@@ -117,13 +117,26 @@ static int atusb_read_reg(struct atusb *atusb, uint8_t reg) + { + struct usb_device *usb_dev = atusb->usb_dev; + int ret; ++ uint8_t *buffer; + uint8_t value; + ++ buffer = kmalloc(1, GFP_KERNEL); ++ if (!buffer) ++ return -ENOMEM; ++ + dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg); + ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), + ATUSB_REG_READ, ATUSB_REQ_FROM_DEV, +- 0, reg, &value, 1, 1000); +- return ret >= 0 ? value : ret; ++ 0, reg, buffer, 1, 1000); ++ ++ if (ret >= 0) { ++ value = buffer[0]; ++ kfree(buffer); ++ return value; ++ } else { ++ kfree(buffer); ++ return ret; ++ } + } + + static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask, +@@ -608,9 +621,13 @@ static const struct ieee802154_ops atusb_ops = { + static int atusb_get_and_show_revision(struct atusb *atusb) + { + struct usb_device *usb_dev = atusb->usb_dev; +- unsigned char buffer[3]; ++ unsigned char *buffer; + int ret; + ++ buffer = kmalloc(3, GFP_KERNEL); ++ if (!buffer) ++ return -ENOMEM; ++ + /* Get a couple of the ATMega Firmware values */ + ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), + ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0, +@@ -631,15 +648,20 @@ static int atusb_get_and_show_revision(struct atusb *atusb) + dev_info(&usb_dev->dev, "Please update to version 0.2 or newer"); + } + ++ kfree(buffer); + return ret; + } + + static int atusb_get_and_show_build(struct atusb *atusb) + { + struct usb_device *usb_dev = atusb->usb_dev; +- char build[ATUSB_BUILD_SIZE + 1]; ++ char *build; + int ret; + ++ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL); ++ if (!build) ++ return -ENOMEM; ++ + ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), + ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0, + build, ATUSB_BUILD_SIZE, 1000); +@@ -648,6 +670,7 @@ static int atusb_get_and_show_build(struct atusb *atusb) + dev_info(&usb_dev->dev, "Firmware: build %s\n", build); + } + ++ kfree(build); + return ret; + } + +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 12a301691..65074a9fd 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -98,6 +98,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch +bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch