[linux] 02/02: ieee802154: atusb: do not use the stack for buffers to make them DMA able (CVE-2017-5548)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Jan 23 20:19:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 3c00650618e7657870d89664bbfcf10541a7e9aa
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Mon Jan 23 20:59:00 2017 +0100
ieee802154: atusb: do not use the stack for buffers to make them DMA able (CVE-2017-5548)
---
debian/changelog | 2 +
...atusb-do-not-use-the-stack-for-buffers-to.patch | 99 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 102 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4d07bb1..8c2d3b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -353,6 +353,8 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
* HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
+ * ieee802154: atusb: do not use the stack for buffers to make them DMA able
+ (CVE-2017-5548)
[ Roger Shimizu ]
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
diff --git a/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch b/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
new file mode 100644
index 0000000..7fe5415
--- /dev/null
+++ b/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
@@ -0,0 +1,99 @@
+From: Stefan Schmidt <stefan at osg.samsung.com>
+Date: Thu, 15 Dec 2016 18:40:14 +0100
+Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA
+ able
+Origin: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655
+
+From 4.9 we should really avoid using the stack here as this will not be DMA
+able on various platforms. This changes the buffers already being present in
+time of 4.9 being released. This should go into stable as well.
+
+Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Stefan Schmidt <stefan at osg.samsung.com>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+ drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
+index 1253f86..fa3e8c3 100644
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -117,13 +117,26 @@ static int atusb_read_reg(struct atusb *atusb, uint8_t reg)
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+ int ret;
++ uint8_t *buffer;
+ uint8_t value;
+
++ buffer = kmalloc(1, GFP_KERNEL);
++ if (!buffer)
++ return -ENOMEM;
++
+ dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
+- 0, reg, &value, 1, 1000);
+- return ret >= 0 ? value : ret;
++ 0, reg, buffer, 1, 1000);
++
++ if (ret >= 0) {
++ value = buffer[0];
++ kfree(buffer);
++ return value;
++ } else {
++ kfree(buffer);
++ return ret;
++ }
+ }
+
+ static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
+@@ -608,9 +621,13 @@ static const struct ieee802154_ops atusb_ops = {
+ static int atusb_get_and_show_revision(struct atusb *atusb)
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+- unsigned char buffer[3];
++ unsigned char *buffer;
+ int ret;
+
++ buffer = kmalloc(3, GFP_KERNEL);
++ if (!buffer)
++ return -ENOMEM;
++
+ /* Get a couple of the ATMega Firmware values */
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
+@@ -631,15 +648,20 @@ static int atusb_get_and_show_revision(struct atusb *atusb)
+ dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
+ }
+
++ kfree(buffer);
+ return ret;
+ }
+
+ static int atusb_get_and_show_build(struct atusb *atusb)
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+- char build[ATUSB_BUILD_SIZE + 1];
++ char *build;
+ int ret;
+
++ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
++ if (!build)
++ return -ENOMEM;
++
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
+ build, ATUSB_BUILD_SIZE, 1000);
+@@ -648,6 +670,7 @@ static int atusb_get_and_show_build(struct atusb *atusb)
+ dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
+ }
+
++ kfree(build);
+ return ret;
+ }
+
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 12a3016..65074a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -98,6 +98,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
+bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list