[linux] 02/03: USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Sep 25 23:22:14 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 9f0e754c6097e22982a20cce7d55d8cb090cd960
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Fri Sep 25 17:46:08 2015 +0100

    USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257)
---
 debian/changelog                                   |  1 +
 ...iteheat-fix-potential-null-deref-at-probe.patch | 79 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 81 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 3d01702..a52a79b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,7 @@ linux (4.2.1-1) UNRELEASED; urgency=medium
     upstream commit 4e93b9a6abc0 ("mmc: card: Don't access RPMB partitions for
     normal read/write") looks like a cleaner solution
   * mm: Change ZBUD back to built-in, as it's not really useful as a module
+  * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257)
 
   [ Aurelien Jarno ]
   * [mips*el] Fix BPF assembly code for pre-R2 CPUs. (fixes FTBFS)
diff --git a/debian/patches/bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch
new file mode 100644
index 0000000..4380958
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch
@@ -0,0 +1,79 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Wed, 23 Sep 2015 11:41:42 -0700
+Subject: USB: whiteheat: fix potential null-deref at probe
+Origin: https://git.kernel.org/cgit/linux/kernel/git/gregkh/usb.git/commit?id=cbb4be652d374f64661137756b8f357a1827d6a4
+
+Fix potential null-pointer dereference at probe by making sure that the
+required endpoints are present.
+
+The whiteheat driver assumes there are at least five pairs of bulk
+endpoints, of which the final pair is used for the "command port". An
+attempt to bind to an interface with fewer bulk endpoints would
+currently lead to an oops.
+
+Fixes CVE-2015-5257.
+
+Reported-by: Moein Ghasemzadeh <moein at istuary.com>
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index 6c3734d..d3ea90b 100644
+--- a/drivers/usb/serial/whiteheat.c
++++ b/drivers/usb/serial/whiteheat.c
+@@ -80,6 +80,8 @@ static int  whiteheat_firmware_download(struct usb_serial *serial,
+ static int  whiteheat_firmware_attach(struct usb_serial *serial);
+ 
+ /* function prototypes for the Connect Tech WhiteHEAT serial converter */
++static int whiteheat_probe(struct usb_serial *serial,
++				const struct usb_device_id *id);
+ static int  whiteheat_attach(struct usb_serial *serial);
+ static void whiteheat_release(struct usb_serial *serial);
+ static int  whiteheat_port_probe(struct usb_serial_port *port);
+@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
+ 	.description =		"Connect Tech - WhiteHEAT",
+ 	.id_table =		id_table_std,
+ 	.num_ports =		4,
++	.probe =		whiteheat_probe,
+ 	.attach =		whiteheat_attach,
+ 	.release =		whiteheat_release,
+ 	.port_probe =		whiteheat_port_probe,
+@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
+ /*****************************************************************************
+  * Connect Tech's White Heat serial driver functions
+  *****************************************************************************/
++
++static int whiteheat_probe(struct usb_serial *serial,
++				const struct usb_device_id *id)
++{
++	struct usb_host_interface *iface_desc;
++	struct usb_endpoint_descriptor *endpoint;
++	size_t num_bulk_in = 0;
++	size_t num_bulk_out = 0;
++	size_t min_num_bulk;
++	unsigned int i;
++
++	iface_desc = serial->interface->cur_altsetting;
++
++	for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
++		endpoint = &iface_desc->endpoint[i].desc;
++		if (usb_endpoint_is_bulk_in(endpoint))
++			++num_bulk_in;
++		if (usb_endpoint_is_bulk_out(endpoint))
++			++num_bulk_out;
++	}
++
++	min_num_bulk = COMMAND_PORT + 1;
++	if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
++		return -ENODEV;
++
++	return 0;
++}
++
+ static int whiteheat_attach(struct usb_serial *serial)
+ {
+ 	struct usb_serial_port *command_port;
diff --git a/debian/patches/series b/debian/patches/series
index 7fc7522..d65aad0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -95,3 +95,4 @@ bugfix/all/dcache-reduce-the-scope-of-i_lock-in-d_splice_alias.patch
 bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
 bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
 bugfix/all/e1000e-fix-tight-loop-implementation-of-systime-read.patch
+bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list