[linux] 01/01: USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 23 19:19:35 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 7d17432a0ce09d423b37d3af4dc17e0c4b321fc8
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jun 23 21:15:57 2016 +0200

    USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
---
 debian/changelog                                   |  1 +
 ...usb-usbfs-fix-potential-infoleak-in-devio.patch | 41 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 43 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2213da5..d3098e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
   * fs/pnode.c: treat zero mnt_group_id-s as unequal
   * propogate_mnt: Handle the first propogated copy being a slave
     (CVE-2016-4581)
+  * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 30 Mar 2016 16:32:07 +0100
 
diff --git a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 0000000..18616fe
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,41 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 73ce871..e9f5043 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
+ 
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 90634eb..350c00c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -678,3 +678,4 @@ bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
 bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
 bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch
 bugfix/all/propogate_mnt-Handle-the-first-propogated-copy-being.patch
+bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list