[linux] 02/02: ieee802154: atusb: do not use the stack for buffers to make them DMA able (CVE-2017-5548)

Mon Jan 23 20:19:39 UTC 2017

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 3c00650618e7657870d89664bbfcf10541a7e9aa
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Mon Jan 23 20:59:00 2017 +0100

    ieee802154: atusb: do not use the stack for buffers to make them DMA able (CVE-2017-5548)
---
 debian/changelog                                   |  2 +
 ...atusb-do-not-use-the-stack-for-buffers-to.patch | 99 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 102 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 4d07bb1..8c2d3b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -353,6 +353,8 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
   [ Salvatore Bonaccorso ]
   * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
   * HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
+  * ieee802154: atusb: do not use the stack for buffers to make them DMA able
+    (CVE-2017-5548)
 
   [ Roger Shimizu ]
   * [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
diff --git a/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch b/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
new file mode 100644
index 0000000..7fe5415
--- /dev/null
+++ b/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
@@ -0,0 +1,99 @@
+From: Stefan Schmidt <stefan at osg.samsung.com>
+Date: Thu, 15 Dec 2016 18:40:14 +0100
+Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA
+ able
+Origin: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655
+
+From 4.9 we should really avoid using the stack here as this will not be DMA
+able on various platforms. This changes the buffers already being present in
+time of 4.9 being released. This should go into stable as well.
+
+Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Stefan Schmidt <stefan at osg.samsung.com>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+ drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
+index 1253f86..fa3e8c3 100644
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -117,13 +117,26 @@ static int atusb_read_reg(struct atusb *atusb, uint8_t reg)
+ {
+ 	struct usb_device *usb_dev = atusb->usb_dev;
+ 	int ret;
++	uint8_t *buffer;
+ 	uint8_t value;
+ 
++	buffer = kmalloc(1, GFP_KERNEL);
++	if (!buffer)
++		return -ENOMEM;
++
+ 	dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
+ 	ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ 				ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
+-				0, reg, &value, 1, 1000);
+-	return ret >= 0 ? value : ret;
++				0, reg, buffer, 1, 1000);
++
++	if (ret >= 0) {
++		value = buffer[0];
++		kfree(buffer);
++		return value;
++	} else {
++		kfree(buffer);
++		return ret;
++	}
+ }
+ 
+ static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
+@@ -608,9 +621,13 @@ static const struct ieee802154_ops atusb_ops = {
+ static int atusb_get_and_show_revision(struct atusb *atusb)
+ {
+ 	struct usb_device *usb_dev = atusb->usb_dev;
+-	unsigned char buffer[3];
++	unsigned char *buffer;
+ 	int ret;
+ 
++	buffer = kmalloc(3, GFP_KERNEL);
++	if (!buffer)
++		return -ENOMEM;
++
+ 	/* Get a couple of the ATMega Firmware values */
+ 	ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ 				ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
+@@ -631,15 +648,20 @@ static int atusb_get_and_show_revision(struct atusb *atusb)
+ 		dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
+ 	}
+ 
++	kfree(buffer);
+ 	return ret;
+ }
+ 
+ static int atusb_get_and_show_build(struct atusb *atusb)
+ {
+ 	struct usb_device *usb_dev = atusb->usb_dev;
+-	char build[ATUSB_BUILD_SIZE + 1];
++	char *build;
+ 	int ret;
+ 
++	build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
++	if (!build)
++		return -ENOMEM;
++
+ 	ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ 				ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
+ 				build, ATUSB_BUILD_SIZE, 1000);
+@@ -648,6 +670,7 @@ static int atusb_get_and_show_build(struct atusb *atusb)
+ 		dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
+ 	}
+ 
++	kfree(build);
+ 	return ret;
+ }
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 12a3016..65074a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -98,6 +98,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
 bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
+bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

