[linux] 05/18: usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Dec 29 03:44:11 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 3a9c496fac115cef29eb8e51068589e178ad720a
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 28 23:04:54 2016 +0000
usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912)
---
debian/changelog | 1 +
.../all/usb-gadget-f_fs-fix-use-after-free.patch | 32 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 34 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 18572da..9c5380c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -492,6 +492,7 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
* sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)
* perf: Fix race in swevent hash (CVE-2015-8963)
* tty: Prevent ldisc drivers from re-using stale tty fields (CVE-2015-8964)
+ * usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912)
[ Julien Cristau ]
* hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch b/debian/patches/bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
new file mode 100644
index 0000000..f55c431
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
@@ -0,0 +1,32 @@
+From: Lars-Peter Clausen <lars at metafoo.de>
+Date: Thu, 14 Apr 2016 17:01:17 +0200
+Subject: usb: gadget: f_fs: Fix use-after-free
+Origin: https://git.kernel.org/linus/38740a5b87d53ceb89eb2c970150f6e94e00373a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-7912
+
+When using asynchronous read or write operations on the USB endpoints the
+issuer of the IO request is notified by calling the ki_complete() callback
+of the submitted kiocb when the URB has been completed.
+
+Calling this ki_complete() callback will free kiocb. Make sure that the
+structure is no longer accessed beyond that point, otherwise undefined
+behaviour might occur.
+
+Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
+Cc: <stable at vger.kernel.org> # v3.15+
+Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi at linux.intel.com>
+[bwh: Backported to 3.16:
+ - Adjust filename
+ - We only use kiocb::private, not kiocb::ki_flags]
+---
+--- a/drivers/usb/gadget/f_fs.c
++++ b/drivers/usb/gadget/f_fs.c
+@@ -669,7 +669,6 @@ static void ffs_user_copy_worker(struct
+
+ usb_ep_free_request(io_data->ep, io_data->req);
+
+- io_data->kiocb->private = NULL;
+ if (io_data->read)
+ kfree(io_data->iovec);
+ kfree(io_data->buf);
diff --git a/debian/patches/series b/debian/patches/series
index 74d2941..5ad61a3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -660,6 +660,7 @@ features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
bugfix/all/perf-fix-race-in-swevent-hash.patch
bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
+bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list