[linux] 03/03: media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Aug 3 19:05:04 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch master
in repository linux.
commit 693284da5b8af3493cf343ecc6fc7b11e99c313d
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Aug 3 20:35:38 2017 +0200
media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
---
debian/changelog | 1 +
...64-fix-double-fetch-PCIe-access-condition.patch | 77 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 79 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1afb032..ba914be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,7 @@ linux (4.12.3-1~exp1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* dentry name snapshots (CVE-2017-7533)
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
+ * media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
-- Ben Hutchings <ben at decadent.org.uk> Tue, 18 Jul 2017 13:26:41 +0100
diff --git a/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch b/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
new file mode 100644
index 0000000..bc642e1
--- /dev/null
+++ b/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
@@ -0,0 +1,77 @@
+From: Steven Toth <stoth at kernellabs.com>
+Date: Tue, 6 Jun 2017 09:30:27 -0300
+Subject: [media] saa7164: fix double fetch PCIe access condition
+Origin: https://git.kernel.org/linus/6fb05e0dd32e566facb96ea61a48c7488daa5ac3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8831
+
+Avoid a double fetch by reusing the values from the prior transfer.
+
+Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
+
+Thanks to Pengfei Wang <wpengfeinudt at gmail.com> for reporting.
+
+Signed-off-by: Steven Toth <stoth at kernellabs.com>
+Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
+index b2ff82fa7116..ecfeac5cdbed 100644
+--- a/drivers/media/pci/saa7164/saa7164-bus.c
++++ b/drivers/media/pci/saa7164/saa7164-bus.c
+@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+ msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
+ msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
+ msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
++ memcpy(msg, &msg_tmp, sizeof(*msg));
+
+ /* No need to update the read positions, because this was a peek */
+ /* If the caller specifically want to peek, return */
+ if (peekonly) {
+- memcpy(msg, &msg_tmp, sizeof(*msg));
+ goto peekout;
+ }
+
+@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+ space_rem = bus->m_dwSizeGetRing - curr_grp;
+
+ if (space_rem < sizeof(*msg)) {
+- /* msg wraps around the ring */
+- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
+- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
+- sizeof(*msg) - space_rem);
+ if (buf)
+ memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
+ space_rem, buf_size);
+
+ } else if (space_rem == sizeof(*msg)) {
+- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ if (buf)
+ memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
+ } else {
+ /* Additional data wraps around the ring */
+- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ if (buf) {
+ memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
+ sizeof(*msg), space_rem - sizeof(*msg));
+@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+
+ } else {
+ /* No wrapping */
+- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ if (buf)
+ memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
+ buf_size);
+ }
+- /* Convert from little endian to CPU */
+- msg->size = le16_to_cpu((__force __le16)msg->size);
+- msg->command = le32_to_cpu((__force __le32)msg->command);
+- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
+
+ /* Update the read positions, adjusting the ring */
+ saa7164_writel(bus->m_dwGetReadPos, new_grp);
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 32c61ae..52ab472 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,6 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/dentry-name-snapshots.patch
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
# Fix exported symbol versions
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list