Bug 1057481 - (CVE-2017-9725) VUL-0: CVE-2017-9725: kernel-source: Incorrect type conversion for size during dma allocation
(CVE-2017-9725)
VUL-0: CVE-2017-9725: kernel-source: Incorrect type conversion for size durin...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191519/
CVSSv2:SUSE:CVE-2017-9725:2.1:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-06 20:27 UTC by Marcus Meissner
Modified: 2017-12-18 13:04 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-09-06 20:27:23 UTC
rh#1489088

An incorrect type conversion of a size during dma allocation was found.

Patch:

https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?h=aosp/android-4.4&id=1f8f9b566e8446c13b954220c226c58d22076f88
Comment 1 Marcus Meissner 2017-09-06 20:31:07 UTC
mainline git commit is  67a2e213e7e937c41c52ab5bc46bf3f4de469f6e

The fix is in v4.4 on mainline according to git tag --contains
Comment 2 Marcus Meissner 2017-09-06 20:50:59 UTC
continous dma allocator was added in 3.10.
Comment 3 Marcus Meissner 2017-09-06 20:54:13 UTC
So I would currently guess only 3.12 affected, SLES 12 GA and SP1.
Comment 4 Takashi Iwai 2017-09-07 10:09:43 UTC
The patch would break kABI, so it's not straightforward to apply it.
And, CONFIG_CMA is enabled only for ppc64le, so it's at most only on that.

The issue seems to be triggered by passing over-32bit size argument to the allocator, and the ion driver doesn't exist on SLE12-SP0/SP1.
So, unless we have such a caller (except for ion driver), it should be OK as is, I guess.

Adding Vlastimil to Cc for more auditing.
Comment 5 Vlastimil Babka 2017-09-08 13:50:29 UTC
dma_alloc_from_contiguous() is behind CONFIG_DMA_CMA, which we don't enable.
cma_alloc() didn't appear until 3.17.
The core CMA function alloc_contig_range() is unaffected.
So we are safe even without applying the patch.
Comment 6 Marcus Meissner 2017-09-08 14:10:56 UTC
i see

config/arm64/default:CONFIG_DMA_CMA=y

in 12-sp2 and 12-sp3
Comment 7 Vlastimil Babka 2017-09-08 14:16:32 UTC
(In reply to Marcus Meissner from comment #6)
> i see
> 
> config/arm64/default:CONFIG_DMA_CMA=y
> 
> in 12-sp2 and 12-sp3

Those are 4.4, thus fixed since the beginning.
Comment 8 Marcus Meissner 2017-09-08 14:25:43 UTC
seems we can close it?
Comment 9 Vlastimil Babka 2017-09-11 07:01:39 UTC
(In reply to Marcus Meissner from comment #8)
> seems we can close it?

If you're asking me, then yes.
Comment 10 Takashi Iwai 2017-10-05 13:47:43 UTC
Reassigned back to security team.
Comment 11 Marcus Meissner 2017-12-18 13:04:44 UTC
fixed