[linux] 01/01: Add some security fixes

Thu Jan 14 23:39:53 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 18e70e2c53ad469c01d7b99a33a84b54abfb3fed
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Jan 14 23:39:40 2016 +0000

    Add some security fixes
---
 debian/changelog                                   |  3 ++
 ...unsafe-ldisc-reference-via-ioctl-tiocgetd.patch | 63 ++++++++++++++++++++++
 ...sh-on-detecting-device-without-write_urbs.patch | 31 +++++++++++
 debian/patches/series                              |  2 +
 4 files changed, 99 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2c26c5e..34aeed5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,9 @@ linux (4.3.3-6) UNRELEASED; urgency=medium
   * linux-image-dbg: Include debugging symbols for VDSOs
   * [armel/kirkwood] power/reset: Re-enable POWER_RESET, POWER_RESET_GPIO
     (regression in 3.17~rc5-1~exp1)
+  * usb: serial: visor: fix crash on detecting device without write_urbs
+    (CVE-2015-7566)
+  * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 08 Jan 2016 12:08:13 +0000
 
diff --git a/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch b/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
new file mode 100644
index 0000000..02fe5e7
--- /dev/null
+++ b/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
@@ -0,0 +1,63 @@
+From: Peter Hurley <peter at hurleysoftware.com>
+Subject: tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
+Date: Sun, 10 Jan 2016 22:40:55 -0800
+Origin: http://article.gmane.org/gmane.linux.kernel/2123249
+
+ioctl(TIOCGETD) retrieves the line discipline id directly from the
+ldisc because the line discipline id (c_line) in termios is untrustworthy;
+userspace may have set termios via ioctl(TCSETS*) without actually
+changing the line discipline via ioctl(TIOCSETD).
+
+However, directly accessing the current ldisc via tty->ldisc is
+unsafe; the ldisc ptr dereferenced may be stale if the line discipline
+is changing via ioctl(TIOCSETD) or hangup.
+
+Wait for the line discipline reference (just like read() or write())
+to retrieve the "current" line discipline id.
+
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Peter Hurley <peter at hurleysoftware.com>
+---
+ drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *t
+ }
+ 
+ /**
++ *	tiocgetd	-	get line discipline
++ *	@tty: tty device
++ *	@p: pointer to user data
++ *
++ *	Retrieves the line discipline id directly from the ldisc.
++ *
++ *	Locking: waits for ldisc reference (in case the line discipline
++ *		is changing or the tty is being hungup)
++ */
++
++static int tiocgetd(struct tty_struct *tty, int __user *p)
++{
++	struct tty_ldisc *ld;
++	int ret;
++
++	ld = tty_ldisc_ref_wait(tty);
++	ret = put_user(ld->ops->num, p);
++	tty_ldisc_deref(ld);
++	return ret;
++}
++
++/**
+  *	send_break	-	performed time break
+  *	@tty: device to break on
+  *	@duration: timeout in mS
+@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsign
+ 	case TIOCGSID:
+ 		return tiocgsid(tty, real_tty, p);
+ 	case TIOCGETD:
+-		return put_user(tty->ldisc->ops->num, (int __user *)p);
++		return tiocgetd(tty, p);
+ 	case TIOCSETD:
+ 		return tiocsetd(tty, p);
+ 	case TIOCVHANGUP:
diff --git a/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch b/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
new file mode 100644
index 0000000..4b6a5d6
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
@@ -0,0 +1,31 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Subject: usb: serial: visor: fix crash on detecting device without write_urbs
+Date: Tue, 12 Jan 2016 15:10:50 +0100
+Origin: http://article.gmane.org/gmane.linux.usb.general/136045
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1296466
+
+The visor driver crashes in clie_5_attach() when a specially crafted USB
+device without bulk-out endpoint is detected. This fix adds a check that
+the device has proper configuration expected by the driver.
+
+Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+---
+ drivers/usb/serial/visor.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_seri
+ 	 */
+ 
+ 	/* some sanity check */
+-	if (serial->num_ports < 2)
+-		return -1;
++	if (serial->num_bulk_out < 2) {
++		dev_err(&serial->interface->dev, "missing bulk out endpoints\n");
++		return -ENODEV;
++	}
+ 
+ 	/* port 0 now uses the modified endpoint Address */
+ 	port = serial->port[0];
diff --git a/debian/patches/series b/debian/patches/series
index 4cb278c..d15fc0b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -134,3 +134,5 @@ bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
 bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch
 bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
 bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch
+bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
+bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

