[linux] 01/01: USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Jun 23 19:19:35 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 7d17432a0ce09d423b37d3af4dc17e0c4b321fc8
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Jun 23 21:15:57 2016 +0200
USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
---
debian/changelog | 1 +
...usb-usbfs-fix-potential-infoleak-in-devio.patch | 41 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 43 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2213da5..d3098e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
* fs/pnode.c: treat zero mnt_group_id-s as unequal
* propogate_mnt: Handle the first propogated copy being a slave
(CVE-2016-4581)
+ * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 30 Mar 2016 16:32:07 +0100
diff --git a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 0000000..18616fe
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,41 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 73ce871..e9f5043 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
+
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+- struct usbdevfs_connectinfo ci = {
+- .devnum = ps->dev->devnum,
+- .slow = ps->dev->speed == USB_SPEED_LOW
+- };
++ struct usbdevfs_connectinfo ci;
++
++ memset(&ci, 0, sizeof(ci));
++ ci.devnum = ps->dev->devnum;
++ ci.slow = ps->dev->speed == USB_SPEED_LOW;
+
+ if (copy_to_user(arg, &ci, sizeof(ci)))
+ return -EFAULT;
+--
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 90634eb..350c00c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -678,3 +678,4 @@ bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch
bugfix/all/propogate_mnt-Handle-the-first-propogated-copy-being.patch
+bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list