[linux] 03/03: media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Aug 3 19:05:04 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository linux.

commit 693284da5b8af3493cf343ecc6fc7b11e99c313d
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Aug 3 20:35:38 2017 +0200

    media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
---
 debian/changelog                                   |  1 +
 ...64-fix-double-fetch-PCIe-access-condition.patch | 77 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 79 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1afb032..ba914be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,7 @@ linux (4.12.3-1~exp1) UNRELEASED; urgency=medium
   [ Salvatore Bonaccorso ]
   * dentry name snapshots (CVE-2017-7533)
   * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
+  * media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Tue, 18 Jul 2017 13:26:41 +0100
 
diff --git a/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch b/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
new file mode 100644
index 0000000..bc642e1
--- /dev/null
+++ b/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
@@ -0,0 +1,77 @@
+From: Steven Toth <stoth at kernellabs.com>
+Date: Tue, 6 Jun 2017 09:30:27 -0300
+Subject: [media] saa7164: fix double fetch PCIe access condition
+Origin: https://git.kernel.org/linus/6fb05e0dd32e566facb96ea61a48c7488daa5ac3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8831
+
+Avoid a double fetch by reusing the values from the prior transfer.
+
+Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
+
+Thanks to Pengfei Wang <wpengfeinudt at gmail.com> for reporting.
+
+Signed-off-by: Steven Toth <stoth at kernellabs.com>
+Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
+index b2ff82fa7116..ecfeac5cdbed 100644
+--- a/drivers/media/pci/saa7164/saa7164-bus.c
++++ b/drivers/media/pci/saa7164/saa7164-bus.c
+@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+ 	msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
+ 	msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
+ 	msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
++	memcpy(msg, &msg_tmp, sizeof(*msg));
+ 
+ 	/* No need to update the read positions, because this was a peek */
+ 	/* If the caller specifically want to peek, return */
+ 	if (peekonly) {
+-		memcpy(msg, &msg_tmp, sizeof(*msg));
+ 		goto peekout;
+ 	}
+ 
+@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+ 		space_rem = bus->m_dwSizeGetRing - curr_grp;
+ 
+ 		if (space_rem < sizeof(*msg)) {
+-			/* msg wraps around the ring */
+-			memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
+-			memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
+-				sizeof(*msg) - space_rem);
+ 			if (buf)
+ 				memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
+ 					space_rem, buf_size);
+ 
+ 		} else if (space_rem == sizeof(*msg)) {
+-			memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ 			if (buf)
+ 				memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
+ 		} else {
+ 			/* Additional data wraps around the ring */
+-			memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ 			if (buf) {
+ 				memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
+ 					sizeof(*msg), space_rem - sizeof(*msg));
+@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
+ 
+ 	} else {
+ 		/* No wrapping */
+-		memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ 		if (buf)
+ 			memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
+ 				buf_size);
+ 	}
+-	/* Convert from little endian to CPU */
+-	msg->size = le16_to_cpu((__force __le16)msg->size);
+-	msg->command = le32_to_cpu((__force __le32)msg->command);
+-	msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
+ 
+ 	/* Update the read positions, adjusting the ring */
+ 	saa7164_writel(bus->m_dwGetReadPos, new_grp);
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 32c61ae..52ab472 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,6 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/dentry-name-snapshots.patch
 bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list