[linux] 02/02: Add fix for CVE-2016-3951

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Apr 30 17:57:41 UTC 2016


This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 391b1e591749730c56c464f90ea5ed7a37164bc2
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Apr 30 19:44:25 2016 +0200

    Add fix for CVE-2016-3951
---
 debian/changelog                                   |  1 +
 .../all/usbnet-cleanup-after-bind-in-probe.patch   | 35 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 37 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 7069151..99648b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ linux (3.2.78-1+deb7u1) UNRELEASED; urgency=medium
   * [amd64] iopl: Properly context-switch IOPL on Xen PV (CVE-2016-3157)
   * [x86] standardize mmap_rnd() usage
   * [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
+  * usbnet: cleanup after bind() in probe() (CVE-2016-3951)
 
   [ Salvatore Bonaccorso ]
   * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/all/usbnet-cleanup-after-bind-in-probe.patch b/debian/patches/bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
new file mode 100644
index 0000000..d6c69f1
--- /dev/null
+++ b/debian/patches/bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
@@ -0,0 +1,35 @@
+From: Oliver Neukum <oneukum at suse.com>
+Date: Mon, 7 Mar 2016 11:31:10 +0100
+Subject: usbnet: cleanup after bind() in probe()
+Origin: https://git.kernel.org/linus/1666984c8625b3db19a9abc298931d35ab7bc64b
+
+In case bind() works, but a later error forces bailing
+in probe() in error cases work and a timer may be scheduled.
+They must be killed. This fixes an error case related to
+the double free reported in
+http://www.spinics.net/lists/netdev/msg367669.html
+and needs to go on top of Linus' fix to cdc-ncm.
+
+Signed-off-by: Oliver Neukum <ONeukum at suse.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/usb/usbnet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1486,6 +1486,13 @@ out3:
+ 	if (info->unbind)
+ 		info->unbind (dev, udev);
+ out1:
++	/* subdrivers must undo all they did in bind() if they
++	 * fail it, but we may fail later and a deferred kevent
++	 * may trigger an error resubmitting itself and, worse,
++	 * schedule a timer. So we kill it all just in case.
++	 */
++	cancel_work_sync(&dev->kevent);
++	del_timer_sync(&dev->delay);
+ 	free_netdev(net);
+ out:
+ 	usb_put_dev(xdev);
diff --git a/debian/patches/series b/debian/patches/series
index 9810527..91cff17 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1176,3 +1176,4 @@ bugfix/x86/x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch
 bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch
 bugfix/x86/x86-standardize-mmap_rnd-usage.patch
 bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
+bugfix/all/usbnet-cleanup-after-bind-in-probe.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list