ieee802154: atusb: do not use the stack for buffers to make them DMA able (CVE-2017-5548)
This commit is contained in:
parent
c74f7d65fe
commit
3c00650618
|
@ -353,6 +353,8 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
||||||
* HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
|
* HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
|
||||||
|
* ieee802154: atusb: do not use the stack for buffers to make them DMA able
|
||||||
|
(CVE-2017-5548)
|
||||||
|
|
||||||
[ Roger Shimizu ]
|
[ Roger Shimizu ]
|
||||||
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
|
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
|
||||||
|
|
99
debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
vendored
Normal file
99
debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
vendored
Normal file
|
@ -0,0 +1,99 @@
|
||||||
|
From: Stefan Schmidt <stefan@osg.samsung.com>
|
||||||
|
Date: Thu, 15 Dec 2016 18:40:14 +0100
|
||||||
|
Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA
|
||||||
|
able
|
||||||
|
Origin: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655
|
||||||
|
|
||||||
|
From 4.9 we should really avoid using the stack here as this will not be DMA
|
||||||
|
able on various platforms. This changes the buffers already being present in
|
||||||
|
time of 4.9 being released. This should go into stable as well.
|
||||||
|
|
||||||
|
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
|
||||||
|
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
||||||
|
---
|
||||||
|
drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++----
|
||||||
|
1 file changed, 27 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
|
||||||
|
index 1253f86..fa3e8c3 100644
|
||||||
|
--- a/drivers/net/ieee802154/atusb.c
|
||||||
|
+++ b/drivers/net/ieee802154/atusb.c
|
||||||
|
@@ -117,13 +117,26 @@ static int atusb_read_reg(struct atusb *atusb, uint8_t reg)
|
||||||
|
{
|
||||||
|
struct usb_device *usb_dev = atusb->usb_dev;
|
||||||
|
int ret;
|
||||||
|
+ uint8_t *buffer;
|
||||||
|
uint8_t value;
|
||||||
|
|
||||||
|
+ buffer = kmalloc(1, GFP_KERNEL);
|
||||||
|
+ if (!buffer)
|
||||||
|
+ return -ENOMEM;
|
||||||
|
+
|
||||||
|
dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
|
||||||
|
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||||
|
ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
|
||||||
|
- 0, reg, &value, 1, 1000);
|
||||||
|
- return ret >= 0 ? value : ret;
|
||||||
|
+ 0, reg, buffer, 1, 1000);
|
||||||
|
+
|
||||||
|
+ if (ret >= 0) {
|
||||||
|
+ value = buffer[0];
|
||||||
|
+ kfree(buffer);
|
||||||
|
+ return value;
|
||||||
|
+ } else {
|
||||||
|
+ kfree(buffer);
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
|
||||||
|
@@ -608,9 +621,13 @@ static const struct ieee802154_ops atusb_ops = {
|
||||||
|
static int atusb_get_and_show_revision(struct atusb *atusb)
|
||||||
|
{
|
||||||
|
struct usb_device *usb_dev = atusb->usb_dev;
|
||||||
|
- unsigned char buffer[3];
|
||||||
|
+ unsigned char *buffer;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
+ buffer = kmalloc(3, GFP_KERNEL);
|
||||||
|
+ if (!buffer)
|
||||||
|
+ return -ENOMEM;
|
||||||
|
+
|
||||||
|
/* Get a couple of the ATMega Firmware values */
|
||||||
|
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||||
|
ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
|
||||||
|
@@ -631,15 +648,20 @@ static int atusb_get_and_show_revision(struct atusb *atusb)
|
||||||
|
dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
|
||||||
|
}
|
||||||
|
|
||||||
|
+ kfree(buffer);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int atusb_get_and_show_build(struct atusb *atusb)
|
||||||
|
{
|
||||||
|
struct usb_device *usb_dev = atusb->usb_dev;
|
||||||
|
- char build[ATUSB_BUILD_SIZE + 1];
|
||||||
|
+ char *build;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
+ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
|
||||||
|
+ if (!build)
|
||||||
|
+ return -ENOMEM;
|
||||||
|
+
|
||||||
|
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||||
|
ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
|
||||||
|
build, ATUSB_BUILD_SIZE, 1000);
|
||||||
|
@@ -648,6 +670,7 @@ static int atusb_get_and_show_build(struct atusb *atusb)
|
||||||
|
dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ kfree(build);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.1.4
|
||||||
|
|
|
@ -98,6 +98,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
|
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
|
||||||
bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
|
bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
|
||||||
|
bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||||
|
|
Loading…
Reference in New Issue