media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
This commit is contained in:
parent
9f89bea8ab
commit
693284da5b
|
@ -26,6 +26,7 @@ linux (4.12.3-1~exp1) UNRELEASED; urgency=medium
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* dentry name snapshots (CVE-2017-7533)
|
* dentry name snapshots (CVE-2017-7533)
|
||||||
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
|
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
|
||||||
|
* media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 18 Jul 2017 13:26:41 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Tue, 18 Jul 2017 13:26:41 +0100
|
||||||
|
|
||||||
|
|
77
debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
vendored
Normal file
77
debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
vendored
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
From: Steven Toth <stoth@kernellabs.com>
|
||||||
|
Date: Tue, 6 Jun 2017 09:30:27 -0300
|
||||||
|
Subject: [media] saa7164: fix double fetch PCIe access condition
|
||||||
|
Origin: https://git.kernel.org/linus/6fb05e0dd32e566facb96ea61a48c7488daa5ac3
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8831
|
||||||
|
|
||||||
|
Avoid a double fetch by reusing the values from the prior transfer.
|
||||||
|
|
||||||
|
Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
|
||||||
|
|
||||||
|
Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting.
|
||||||
|
|
||||||
|
Signed-off-by: Steven Toth <stoth@kernellabs.com>
|
||||||
|
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
|
||||||
|
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||||
|
---
|
||||||
|
drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
|
||||||
|
1 file changed, 1 insertion(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
|
||||||
|
index b2ff82fa7116..ecfeac5cdbed 100644
|
||||||
|
--- a/drivers/media/pci/saa7164/saa7164-bus.c
|
||||||
|
+++ b/drivers/media/pci/saa7164/saa7164-bus.c
|
||||||
|
@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
|
||||||
|
msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
|
||||||
|
msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
|
||||||
|
msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
|
||||||
|
+ memcpy(msg, &msg_tmp, sizeof(*msg));
|
||||||
|
|
||||||
|
/* No need to update the read positions, because this was a peek */
|
||||||
|
/* If the caller specifically want to peek, return */
|
||||||
|
if (peekonly) {
|
||||||
|
- memcpy(msg, &msg_tmp, sizeof(*msg));
|
||||||
|
goto peekout;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
|
||||||
|
space_rem = bus->m_dwSizeGetRing - curr_grp;
|
||||||
|
|
||||||
|
if (space_rem < sizeof(*msg)) {
|
||||||
|
- /* msg wraps around the ring */
|
||||||
|
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
|
||||||
|
- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
|
||||||
|
- sizeof(*msg) - space_rem);
|
||||||
|
if (buf)
|
||||||
|
memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
|
||||||
|
space_rem, buf_size);
|
||||||
|
|
||||||
|
} else if (space_rem == sizeof(*msg)) {
|
||||||
|
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
|
||||||
|
if (buf)
|
||||||
|
memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
|
||||||
|
} else {
|
||||||
|
/* Additional data wraps around the ring */
|
||||||
|
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
|
||||||
|
if (buf) {
|
||||||
|
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
|
||||||
|
sizeof(*msg), space_rem - sizeof(*msg));
|
||||||
|
@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
|
||||||
|
|
||||||
|
} else {
|
||||||
|
/* No wrapping */
|
||||||
|
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
|
||||||
|
if (buf)
|
||||||
|
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
|
||||||
|
buf_size);
|
||||||
|
}
|
||||||
|
- /* Convert from little endian to CPU */
|
||||||
|
- msg->size = le16_to_cpu((__force __le16)msg->size);
|
||||||
|
- msg->command = le32_to_cpu((__force __le32)msg->command);
|
||||||
|
- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
|
||||||
|
|
||||||
|
/* Update the read positions, adjusting the ring */
|
||||||
|
saa7164_writel(bus->m_dwGetReadPos, new_grp);
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -119,6 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/dentry-name-snapshots.patch
|
bugfix/all/dentry-name-snapshots.patch
|
||||||
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
||||||
|
bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||||
|
|
Loading…
Reference in New Issue