[linux] 02/02: Input: gtco - fix crash on detecting device without endpoints (CVE-2016-2187)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Apr 28 15:23:08 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit d345dad8c940bf499c4aeb7ef07ca82a8d0676bf
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Apr 28 17:21:17 2016 +0200

    Input: gtco - fix crash on detecting device without endpoints (CVE-2016-2187)
---
 debian/changelog                                   |  2 +
 ...fix-crash-on-detecting-device-without-end.patch | 53 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 56 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6e20236..ced3c69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -136,6 +136,8 @@ linux (4.5.2-1) UNRELEASED; urgency=medium
     closes: #822364)
   * [armhf] Disable FB_OMAP2; it is redundant and conflicting with DRM_OMAP
   * [armhf] mm: Enable CMA, DMA_CMA
+  * Input: gtco - fix crash on detecting device without endpoints
+    (CVE-2016-2187)
 
   [ Aurelien Jarno ]
   * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions.
diff --git a/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
new file mode 100644
index 0000000..8908aff
--- /dev/null
+++ b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
@@ -0,0 +1,53 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Thu, 31 Mar 2016 10:53:42 -0700
+Subject: Input: gtco - fix crash on detecting device without endpoints
+Origin: https://git.kernel.org/linus/162f98dea487206d9ab79fc12ed64700667a894d
+
+The gtco driver expects at least one valid endpoint. If given malicious
+descriptors that specify 0 for the number of endpoints, it will crash in
+the probe function. Ensure there is at least one endpoint on the interface
+before using it.
+
+Also let's fix a minor coding style issue.
+
+The full correct report of this issue can be found in the public
+Red Hat Bugzilla:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1283385
+
+Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 3a7f3a4a4396..7c18249d6c8e 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 		goto err_free_buf;
+ 	}
+ 
++	/* Sanity check that a device has an endpoint */
++	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++		dev_err(&usbinterface->dev,
++			"Invalid number of endpoints\n");
++		error = -EINVAL;
++		goto err_free_urb;
++	}
++
+ 	/*
+ 	 * The endpoint is always altsetting 0, we know this since we know
+ 	 * this device only has one interrupt endpoint
+@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 	 * HID report descriptor
+ 	 */
+ 	if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+-				     HID_DEVICE_TYPE, &hid_desc) != 0){
++				     HID_DEVICE_TYPE, &hid_desc) != 0) {
+ 		dev_err(&usbinterface->dev,
+ 			"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ 		error = -EIO;
diff --git a/debian/patches/series b/debian/patches/series
index cf42d3a..4d0e35c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,6 +133,7 @@ bugfix/x86/x86-xen-suppress-hugetlbfs-in-PV-guests.patch
 bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch
 
 # Tools bug fixes
+bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
 bugfix/all/usbip-document-tcp-wrappers.patch
 bugfix/all/kbuild-fix-recordmcount-dependency.patch
 bugfix/all/usbip-include-uninstalled-linux-usbip-h.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list