[linux] 02/02: Input: gtco - fix crash on detecting device without endpoints (CVE-2016-2187)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Apr 28 15:23:08 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit d345dad8c940bf499c4aeb7ef07ca82a8d0676bf
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Apr 28 17:21:17 2016 +0200
Input: gtco - fix crash on detecting device without endpoints (CVE-2016-2187)
---
debian/changelog | 2 +
...fix-crash-on-detecting-device-without-end.patch | 53 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 56 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6e20236..ced3c69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -136,6 +136,8 @@ linux (4.5.2-1) UNRELEASED; urgency=medium
closes: #822364)
* [armhf] Disable FB_OMAP2; it is redundant and conflicting with DRM_OMAP
* [armhf] mm: Enable CMA, DMA_CMA
+ * Input: gtco - fix crash on detecting device without endpoints
+ (CVE-2016-2187)
[ Aurelien Jarno ]
* [mips*] Emulate unaligned LDXC1 and SDXC1 instructions.
diff --git a/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
new file mode 100644
index 0000000..8908aff
--- /dev/null
+++ b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
@@ -0,0 +1,53 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Thu, 31 Mar 2016 10:53:42 -0700
+Subject: Input: gtco - fix crash on detecting device without endpoints
+Origin: https://git.kernel.org/linus/162f98dea487206d9ab79fc12ed64700667a894d
+
+The gtco driver expects at least one valid endpoint. If given malicious
+descriptors that specify 0 for the number of endpoints, it will crash in
+the probe function. Ensure there is at least one endpoint on the interface
+before using it.
+
+Also let's fix a minor coding style issue.
+
+The full correct report of this issue can be found in the public
+Red Hat Bugzilla:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1283385
+
+Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 3a7f3a4a4396..7c18249d6c8e 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ goto err_free_buf;
+ }
+
++ /* Sanity check that a device has an endpoint */
++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++ dev_err(&usbinterface->dev,
++ "Invalid number of endpoints\n");
++ error = -EINVAL;
++ goto err_free_urb;
++ }
++
+ /*
+ * The endpoint is always altsetting 0, we know this since we know
+ * this device only has one interrupt endpoint
+@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ * HID report descriptor
+ */
+ if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+- HID_DEVICE_TYPE, &hid_desc) != 0){
++ HID_DEVICE_TYPE, &hid_desc) != 0) {
+ dev_err(&usbinterface->dev,
+ "Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ error = -EIO;
diff --git a/debian/patches/series b/debian/patches/series
index cf42d3a..4d0e35c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,6 +133,7 @@ bugfix/x86/x86-xen-suppress-hugetlbfs-in-PV-guests.patch
bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch
# Tools bug fixes
+bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
bugfix/all/usbip-document-tcp-wrappers.patch
bugfix/all/kbuild-fix-recordmcount-dependency.patch
bugfix/all/usbip-include-uninstalled-linux-usbip-h.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list