Bug 1057481 - (CVE-2017-9725) VUL-0: CVE-2017-9725: kernel-source: Incorrect type conversion for size during dma allocation
VUL-0: CVE-2017-9725: kernel-source: Incorrect type conversion for size durin...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-09-06 20:27 UTC by Marcus Meissner
Modified: 2017-12-18 13:04 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-09-06 20:27:23 UTC

An incorrect type conversion of a size during dma allocation was found.


Comment 1 Marcus Meissner 2017-09-06 20:31:07 UTC
mainline git commit is  67a2e213e7e937c41c52ab5bc46bf3f4de469f6e

The fix is in v4.4 on mainline according to git tag --contains
Comment 2 Marcus Meissner 2017-09-06 20:50:59 UTC
continous dma allocator was added in 3.10.
Comment 3 Marcus Meissner 2017-09-06 20:54:13 UTC
So I would currently guess only 3.12 affected, SLES 12 GA and SP1.
Comment 4 Takashi Iwai 2017-09-07 10:09:43 UTC
The patch would break kABI, so it's not straightforward to apply it.
And, CONFIG_CMA is enabled only for ppc64le, so it's at most only on that.

The issue seems to be triggered by passing over-32bit size argument to the allocator, and the ion driver doesn't exist on SLE12-SP0/SP1.
So, unless we have such a caller (except for ion driver), it should be OK as is, I guess.

Adding Vlastimil to Cc for more auditing.
Comment 5 Vlastimil Babka 2017-09-08 13:50:29 UTC
dma_alloc_from_contiguous() is behind CONFIG_DMA_CMA, which we don't enable.
cma_alloc() didn't appear until 3.17.
The core CMA function alloc_contig_range() is unaffected.
So we are safe even without applying the patch.
Comment 6 Marcus Meissner 2017-09-08 14:10:56 UTC
i see


in 12-sp2 and 12-sp3
Comment 7 Vlastimil Babka 2017-09-08 14:16:32 UTC
(In reply to Marcus Meissner from comment #6)
> i see
> config/arm64/default:CONFIG_DMA_CMA=y
> in 12-sp2 and 12-sp3

Those are 4.4, thus fixed since the beginning.
Comment 8 Marcus Meissner 2017-09-08 14:25:43 UTC
seems we can close it?
Comment 9 Vlastimil Babka 2017-09-11 07:01:39 UTC
(In reply to Marcus Meissner from comment #8)
> seems we can close it?

If you're asking me, then yes.
Comment 10 Takashi Iwai 2017-10-05 13:47:43 UTC
Reassigned back to security team.
Comment 11 Marcus Meissner 2017-12-18 13:04:44 UTC