[linux] 02/02: usbnet: Fix possible memory corruption after probe failure (CVE-2016-3951)

Sat Apr 30 18:19:52 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 7ce6744a6b08800de3932018c271bf247d5c1eed
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Apr 30 20:18:52 2016 +0200

    usbnet: Fix possible memory corruption after probe failure (CVE-2016-3951)
---
 debian/changelog                                   |  3 +
 ...not-call-usbnet_link_change-from-cdc_ncm_.patch | 81 ++++++++++++++++++++++
 .../all/usbnet-cleanup-after-bind-in-probe.patch   | 36 ++++++++++
 debian/patches/series                              |  2 +
 4 files changed, 122 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 7e67846..9712cfe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,9 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
     (CVE-2016-3156)
   * [x86] standardize mmap_rnd() usage
   * [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
+  * usbnet: Fix possible memory corruption after probe failure (CVE-2016-3951)
+    - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
+    - usbnet: cleanup after bind() in probe()
 
   [ Salvatore Bonaccorso ]
   * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/all/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch b/debian/patches/bugfix/all/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
new file mode 100644
index 0000000..0050b2a
--- /dev/null
+++ b/debian/patches/bugfix/all/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
@@ -0,0 +1,81 @@
+From: Bjørn Mork <bjorn at mork.no>
+Date: Mon, 7 Mar 2016 21:15:36 +0100
+Subject: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
+Origin: https://git.kernel.org/linus/4d06dd537f95683aba3651098ae288b7cbff8274
+
+usbnet_link_change will call schedule_work and should be
+avoided if bind is failing. Otherwise we will end up with
+scheduled work referring to a netdev which has gone away.
+
+Instead of making the call conditional, we can just defer
+it to usbnet_probe, using the driver_info flag made for
+this purpose.
+
+Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
+Reported-by: Andrey Konovalov <andreyknvl at gmail.com>
+Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Bjørn Mork <bjorn at mork.no>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[ luis: backported to 3.16:
+  - cdc_ncm_bind_common() takes only 3 args in 3.16
+  - adjusted context ]
+Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
+---
+ drivers/net/usb/cdc_ncm.c | 21 +++++----------------
+ 1 file changed, 5 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -944,23 +944,11 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsett
+ 
+ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+-	int ret;
+-
+ 	/* MBIM backwards compatible function? */
+ 	if (cdc_ncm_select_altsetting(intf) != CDC_NCM_COMM_ALTSETTING_NCM)
+ 		return -ENODEV;
+ 
+-	/* The NCM data altsetting is fixed */
+-	ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM);
+-
+-	/*
+-	 * We should get an event when network connection is "connected" or
+-	 * "disconnected". Set network connection in "disconnected" state
+-	 * (carrier is OFF) during attach, so the IP network stack does not
+-	 * start IPv6 negotiation and more.
+-	 */
+-	usbnet_link_change(dev, 0, 0);
+-	return ret;
++	return cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM);
+ }
+ 
+ static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
+@@ -1502,7 +1490,8 @@ static void cdc_ncm_status(struct usbnet
+ 
+ static const struct driver_info cdc_ncm_info = {
+ 	.description = "CDC NCM",
+-	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
++	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
++			| FLAG_LINK_INTR,
+ 	.bind = cdc_ncm_bind,
+ 	.unbind = cdc_ncm_unbind,
+ 	.manage_power = usbnet_manage_power,
+@@ -1515,7 +1504,7 @@ static const struct driver_info cdc_ncm_
+ static const struct driver_info wwan_info = {
+ 	.description = "Mobile Broadband Network Device",
+ 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+-			| FLAG_WWAN,
++			| FLAG_LINK_INTR | FLAG_WWAN,
+ 	.bind = cdc_ncm_bind,
+ 	.unbind = cdc_ncm_unbind,
+ 	.manage_power = usbnet_manage_power,
+@@ -1528,7 +1517,7 @@ static const struct driver_info wwan_inf
+ static const struct driver_info wwan_noarp_info = {
+ 	.description = "Mobile Broadband Network Device (NO ARP)",
+ 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+-			| FLAG_WWAN | FLAG_NOARP,
++			| FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
+ 	.bind = cdc_ncm_bind,
+ 	.unbind = cdc_ncm_unbind,
+ 	.manage_power = usbnet_manage_power,
diff --git a/debian/patches/bugfix/all/usbnet-cleanup-after-bind-in-probe.patch b/debian/patches/bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
new file mode 100644
index 0000000..68a6a99
--- /dev/null
+++ b/debian/patches/bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
@@ -0,0 +1,36 @@
+From: Oliver Neukum <oneukum at suse.com>
+Date: Mon, 7 Mar 2016 11:31:10 +0100
+Subject: usbnet: cleanup after bind() in probe()
+
+commit 1666984c8625b3db19a9abc298931d35ab7bc64b upstream.
+
+In case bind() works, but a later error forces bailing
+in probe() in error cases work and a timer may be scheduled.
+They must be killed. This fixes an error case related to
+the double free reported in
+http://www.spinics.net/lists/netdev/msg367669.html
+and needs to go on top of Linus' fix to cdc-ncm.
+
+Signed-off-by: Oliver Neukum <ONeukum at suse.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/usb/usbnet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1729,6 +1729,13 @@ out3:
+ 	if (info->unbind)
+ 		info->unbind (dev, udev);
+ out1:
++	/* subdrivers must undo all they did in bind() if they
++	 * fail it, but we may fail later and a deferred kevent
++	 * may trigger an error resubmitting itself and, worse,
++	 * schedule a timer. So we kill it all just in case.
++	 */
++	cancel_work_sync(&dev->kevent);
++	del_timer_sync(&dev->delay);
+ 	free_netdev(net);
+ out:
+ 	return status;
diff --git a/debian/patches/series b/debian/patches/series
index e11de3d..c0affbc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -670,3 +670,5 @@ bugfix/all/netfilter-x_tables-fix-unconditional-helper.patch
 bugfix/all/ipv4-don-t-do-expensive-useless-work-during-inetdev-.patch
 bugfix/x86/x86-standardize-mmap_rnd-usage.patch
 bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
+bugfix/all/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
+bugfix/all/usbnet-cleanup-after-bind-in-probe.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

