[linux] 02/06: Add USB descriptor parsing fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jun 24 19:56:44 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 22d0a6d728f213c1d88c1cf81dd8fb1af2d0a4a0
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Fri Jun 24 21:42:12 2016 +0200
Add USB descriptor parsing fixes
---
debian/changelog | 15 +++
...dio-add-sanity-checks-for-endpoint-access.patch | 71 ++++++++++++++
...dio-fix-null-dereference-in-create_fixed_.patch | 34 +++++++
...k-fix-crash-on-detecting-device-without-e.patch | 44 +++++++++
...emote2-fix-crashes-on-detecting-device-wi.patch | 106 +++++++++++++++++++++
...fix-crash-on-detecting-device-without-end.patch | 51 ++++++++++
...mate-fix-oops-with-malicious-usb-descript.patch | 35 +++++++
.../all/usb-cdc-acm-more-sanity-checking.patch | 29 ++++++
.../usb-cypress_m8-add-endpoint-sanity-check.patch | 46 +++++++++
...celeport-do-sanity-checking-for-the-numbe.patch | 49 ++++++++++
...usb-mct_u232-add-sanity-checking-in-probe.patch | 46 +++++++++
debian/patches/series | 10 ++
12 files changed, 536 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2ae3cfe..d42442f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -20,6 +20,21 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
* mm: hugetlb: allow hugepages_supported to be architecture specific
* ecryptfs: fix handling of directory opening
* ecryptfs: forbid opening files without mmap handler (CVE-2016-1583)
+ * Input: aiptek - fix crash on detecting device without endpoints
+ (CVE-2015-7515)
+ * ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
+ (CVE-2016-2184)
+ * ALSA: usb-audio: Add sanity checks for endpoint accesses
+ * Input: ati_remote2 - fix crashes on detecting device with invalid
+ descriptor (CVE-2016-2185)
+ * Input: powermate - fix oops with malicious USB descriptors (CVE-2016-2186)
+ * Input: gtco - fix crash on detecting device without endpoints
+ (CVE-2016-2187)
+ * USB: mct_u232: add sanity checking in probe (CVE-2016-3136)
+ * USB: cypress_m8: add endpoint sanity check (CVE-2016-3137)
+ * USB: cdc-acm: more sanity checking (CVE-2016-3138)
+ * USB: digi_acceleport: do sanity checking for the number of ports
+ (CVE-2016-3140)
[ Salvatore Bonaccorso ]
* [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/all/alsa-usb-audio-add-sanity-checks-for-endpoint-access.patch b/debian/patches/bugfix/all/alsa-usb-audio-add-sanity-checks-for-endpoint-access.patch
new file mode 100644
index 0000000..a709d4d
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-usb-audio-add-sanity-checks-for-endpoint-access.patch
@@ -0,0 +1,71 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Tue, 15 Mar 2016 15:20:58 +0100
+Subject: ALSA: usb-audio: Add sanity checks for endpoint accesses
+Origin: https://git.kernel.org/linus/447d6275f0c21f6cc97a88b3a0c601436a4cdf2a
+
+Add some sanity check codes before actually accessing the endpoint via
+get_endpoint() in order to avoid the invalid access through a
+malformed USB descriptor. Mostly just checking bNumEndpoints, but in
+one place (snd_microii_spdif_default_get()), the validity of iface and
+altsetting index is checked as well.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Cc: Moritz Muehlenhoff <jmm at inutil.org>
+[ luis: backported to 3.16: adjusted context ]
+Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
+---
+ sound/usb/clock.c | 2 ++
+ sound/usb/endpoint.c | 3 +++
+ sound/usb/mixer_quirks.c | 4 ++++
+ sound/usb/pcm.c | 2 ++
+ 4 files changed, 11 insertions(+)
+
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd
+ unsigned char data[3];
+ int err, crate;
+
++ if (get_iface_desc(alts)->bNumEndpoints < 1)
++ return -EINVAL;
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ /* if endpoint doesn't have sampling rate control, bail out */
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -410,6 +410,9 @@ exit_clear:
+ *
+ * New endpoints will be added to chip->ep_list and must be freed by
+ * calling snd_usb_endpoint_free().
++ *
++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
++ * bNumEndpoints > 1 beforehand.
+ */
+ struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
+ struct usb_host_interface *alts,
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1456,7 +1456,11 @@ static int snd_microii_spdif_default_get
+
+ /* use known values for that card: interface#1 altsetting#1 */
+ iface = usb_ifnum_to_if(mixer->chip->dev, 1);
++ if (!iface || iface->num_altsetting < 2)
++ return -EINVAL;
+ alts = &iface->altsetting[1];
++ if (get_iface_desc(alts)->bNumEndpoints < 1)
++ return -EINVAL;
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ err = snd_usb_ctl_msg(mixer->chip->dev,
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_
+ unsigned char data[1];
+ int err;
+
++ if (get_iface_desc(alts)->bNumEndpoints < 1)
++ return -EINVAL;
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ data[0] = 1;
diff --git a/debian/patches/bugfix/all/alsa-usb-audio-fix-null-dereference-in-create_fixed_.patch b/debian/patches/bugfix/all/alsa-usb-audio-fix-null-dereference-in-create_fixed_.patch
new file mode 100644
index 0000000..d87cbbe
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-usb-audio-fix-null-dereference-in-create_fixed_.patch
@@ -0,0 +1,34 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Tue, 15 Mar 2016 12:09:10 +0100
+Subject: ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
+Origin: https://git.kernel.org/linus/0f886ca12765d20124bd06291c82951fd49a33be
+
+create_fixed_stream_quirk() may cause a NULL-pointer dereference by
+accessing the non-existing endpoint when a USB device with a malformed
+USB descriptor is used.
+
+This patch avoids it simply by adding a sanity check of bNumEndpoints
+before the accesses.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/usb/quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -168,6 +168,12 @@ static int create_fixed_stream_quirk(str
+ }
+ alts = &iface->altsetting[fp->altset_idx];
+ altsd = get_iface_desc(alts);
++ if (altsd->bNumEndpoints < 1) {
++ kfree(fp);
++ kfree(rate_table);
++ return -EINVAL;
++ }
++
+ fp->protocol = altsd->bInterfaceProtocol;
+
+ if (fp->datainterval == 0)
diff --git a/debian/patches/bugfix/all/input-aiptek-fix-crash-on-detecting-device-without-e.patch b/debian/patches/bugfix/all/input-aiptek-fix-crash-on-detecting-device-without-e.patch
new file mode 100644
index 0000000..8c250c4
--- /dev/null
+++ b/debian/patches/bugfix/all/input-aiptek-fix-crash-on-detecting-device-without-e.patch
@@ -0,0 +1,44 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Tue, 1 Dec 2015 13:09:17 -0800
+Subject: Input: aiptek - fix crash on detecting device without endpoints
+Origin: https://git.kernel.org/linus/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96
+
+The aiptek driver crashes in aiptek_probe() when a specially crafted USB
+device without endpoints is detected. This fix adds a check that the device
+has proper configuration expected by the driver. Also an error return value
+is changed to more matching one in one of the error paths.
+
+Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
+---
+ drivers/input/tablet/aiptek.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
+index e7f966da6efa..78ca44840d60 100644
+--- a/drivers/input/tablet/aiptek.c
++++ b/drivers/input/tablet/aiptek.c
+@@ -1819,6 +1819,14 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
+ input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+
++ /* Verify that a device really has an endpoint */
++ if (intf->altsetting[0].desc.bNumEndpoints < 1) {
++ dev_err(&intf->dev,
++ "interface has %d endpoints, but must have minimum 1\n",
++ intf->altsetting[0].desc.bNumEndpoints);
++ err = -EINVAL;
++ goto fail3;
++ }
+ endpoint = &intf->altsetting[0].endpoint[0].desc;
+
+ /* Go set up our URB, which is called when the tablet receives
+@@ -1861,6 +1869,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ if (i == ARRAY_SIZE(speeds)) {
+ dev_info(&intf->dev,
+ "Aiptek tried all speeds, no sane response\n");
++ err = -EINVAL;
+ goto fail3;
+ }
+
diff --git a/debian/patches/bugfix/all/input-ati_remote2-fix-crashes-on-detecting-device-wi.patch b/debian/patches/bugfix/all/input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
new file mode 100644
index 0000000..76e1eb4
--- /dev/null
+++ b/debian/patches/bugfix/all/input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
@@ -0,0 +1,106 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Wed, 23 Mar 2016 11:53:46 -0700
+Subject: Input: ati_remote2 - fix crashes on detecting device with invalid
+ descriptor
+Origin: https://git.kernel.org/linus/950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d
+
+The ati_remote2 driver expects at least two interfaces with one
+endpoint each. If given malicious descriptor that specify one
+interface or no endpoints, it will crash in the probe function.
+Ensure there is at least two interfaces and one endpoint for each
+interface before using it.
+
+The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
+
+Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
+---
+ drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
+index cfd58e87da26..1c5914cae853 100644
+--- a/drivers/input/misc/ati_remote2.c
++++ b/drivers/input/misc/ati_remote2.c
+@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+
+ ar2->udev = udev;
+
++ /* Sanity check, first interface must have an endpoint */
++ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
++ dev_err(&interface->dev,
++ "%s(): interface 0 must have an endpoint\n", __func__);
++ r = -ENODEV;
++ goto fail1;
++ }
+ ar2->intf[0] = interface;
+ ar2->ep[0] = &alt->endpoint[0].desc;
+
++ /* Sanity check, the device must have two interfaces */
+ ar2->intf[1] = usb_ifnum_to_if(udev, 1);
++ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
++ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
++ __func__, udev->actconfig->desc.bNumInterfaces);
++ r = -ENODEV;
++ goto fail1;
++ }
++
+ r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
+ if (r)
+ goto fail1;
++
++ /* Sanity check, second interface must have an endpoint */
+ alt = ar2->intf[1]->cur_altsetting;
++ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
++ dev_err(&interface->dev,
++ "%s(): interface 1 must have an endpoint\n", __func__);
++ r = -ENODEV;
++ goto fail2;
++ }
+ ar2->ep[1] = &alt->endpoint[0].desc;
+
+ r = ati_remote2_urb_init(ar2);
+ if (r)
+- goto fail2;
++ goto fail3;
+
+ ar2->channel_mask = channel_mask;
+ ar2->mode_mask = mode_mask;
+
+ r = ati_remote2_setup(ar2, ar2->channel_mask);
+ if (r)
+- goto fail2;
++ goto fail3;
+
+ usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
+ strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
+@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+
+ r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
+ if (r)
+- goto fail2;
++ goto fail3;
+
+ r = ati_remote2_input_init(ar2);
+ if (r)
+- goto fail3;
++ goto fail4;
+
+ usb_set_intfdata(interface, ar2);
+
+@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+
+ return 0;
+
+- fail3:
++ fail4:
+ sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
+- fail2:
++ fail3:
+ ati_remote2_urb_cleanup(ar2);
++ fail2:
+ usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
+ fail1:
+ kfree(ar2);
diff --git a/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
new file mode 100644
index 0000000..e0124c8
--- /dev/null
+++ b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
@@ -0,0 +1,51 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Thu, 31 Mar 2016 10:53:42 -0700
+Subject: Input: gtco - fix crash on detecting device without endpoints
+Origin: https://git.kernel.org/linus/162f98dea487206d9ab79fc12ed64700667a894d
+
+The gtco driver expects at least one valid endpoint. If given malicious
+descriptors that specify 0 for the number of endpoints, it will crash in
+the probe function. Ensure there is at least one endpoint on the interface
+before using it.
+
+Also let's fix a minor coding style issue.
+
+The full correct report of this issue can be found in the public
+Red Hat Bugzilla:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1283385
+
+Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -868,6 +868,14 @@ static int gtco_probe(struct usb_interfa
+ goto err_free_buf;
+ }
+
++ /* Sanity check that a device has an endpoint */
++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++ dev_err(&usbinterface->dev,
++ "Invalid number of endpoints\n");
++ error = -EINVAL;
++ goto err_free_urb;
++ }
++
+ /*
+ * The endpoint is always altsetting 0, we know this since we know
+ * this device only has one interrupt endpoint
+@@ -889,7 +897,7 @@ static int gtco_probe(struct usb_interfa
+ * HID report descriptor
+ */
+ if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+- HID_DEVICE_TYPE, &hid_desc) != 0){
++ HID_DEVICE_TYPE, &hid_desc) != 0) {
+ dev_err(&usbinterface->dev,
+ "Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ error = -EIO;
diff --git a/debian/patches/bugfix/all/input-powermate-fix-oops-with-malicious-usb-descript.patch b/debian/patches/bugfix/all/input-powermate-fix-oops-with-malicious-usb-descript.patch
new file mode 100644
index 0000000..6d3b429
--- /dev/null
+++ b/debian/patches/bugfix/all/input-powermate-fix-oops-with-malicious-usb-descript.patch
@@ -0,0 +1,35 @@
+From: Josh Boyer <jwboyer at fedoraproject.org>
+Date: Mon, 14 Mar 2016 09:33:40 -0700
+Subject: Input: powermate - fix oops with malicious USB descriptors
+Origin: https://git.kernel.org/linus/9c6ba456711687b794dcf285856fc14e2c76074f
+
+The powermate driver expects at least one valid USB endpoint in its
+probe function. If given malicious descriptors that specify 0 for
+the number of endpoints, it will crash. Validate the number of
+endpoints on the interface before using them.
+
+The full report for this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/85
+
+Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
+---
+ drivers/input/misc/powermate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
+index 63b539d3daba..84909a12ff36 100644
+--- a/drivers/input/misc/powermate.c
++++ b/drivers/input/misc/powermate.c
+@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
+ int error = -ENOMEM;
+
+ interface = intf->cur_altsetting;
++ if (interface->desc.bNumEndpoints < 1)
++ return -EINVAL;
++
+ endpoint = &interface->endpoint[0].desc;
+ if (!usb_endpoint_is_int_in(endpoint))
+ return -EIO;
diff --git a/debian/patches/bugfix/all/usb-cdc-acm-more-sanity-checking.patch b/debian/patches/bugfix/all/usb-cdc-acm-more-sanity-checking.patch
new file mode 100644
index 0000000..9dbea5f
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-cdc-acm-more-sanity-checking.patch
@@ -0,0 +1,29 @@
+From: Oliver Neukum <oneukum at suse.com>
+Date: Tue, 15 Mar 2016 10:14:04 +0100
+Subject: USB: cdc-acm: more sanity checking
+Origin: https://git.kernel.org/linus/8835ba4a39cf53f705417b3b3a94eb067673f2c9
+
+An attack has become available which pretends to be a quirky
+device circumventing normal sanity checks and crashes the kernel
+by an insufficient number of interfaces. This patch adds a check
+to the code path for quirky devices.
+
+Signed-off-by: Oliver Neukum <ONeukum at suse.com>
+CC: stable at vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1104,6 +1104,9 @@ static int acm_probe(struct usb_interfac
+ if (quirks == NO_UNION_NORMAL) {
+ data_interface = usb_ifnum_to_if(usb_dev, 1);
+ control_interface = usb_ifnum_to_if(usb_dev, 0);
++ /* we would crash */
++ if (!data_interface || !control_interface)
++ return -ENODEV;
+ goto skip_normal_probe;
+ }
+
diff --git a/debian/patches/bugfix/all/usb-cypress_m8-add-endpoint-sanity-check.patch b/debian/patches/bugfix/all/usb-cypress_m8-add-endpoint-sanity-check.patch
new file mode 100644
index 0000000..e1b05ce
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-cypress_m8-add-endpoint-sanity-check.patch
@@ -0,0 +1,46 @@
+From: Oliver Neukum <oneukum at suse.com>
+Date: Thu, 31 Mar 2016 12:04:25 -0400
+Subject: USB: cypress_m8: add endpoint sanity check
+Origin: https://git.kernel.org/linus/c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754
+
+An attack using missing endpoints exists.
+
+CVE-2016-3137
+
+Signed-off-by: Oliver Neukum <ONeukum at suse.com>
+CC: stable at vger.kernel.org
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/serial/cypress_m8.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
+index b283eb8b86d6..bbeeb2bd55a8 100644
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
+ struct usb_serial *serial = port->serial;
+ struct cypress_private *priv;
+
++ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
++ dev_err(&port->dev, "required endpoint is missing\n");
++ return -ENODEV;
++ }
++
+ priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
+ cypress_set_termios(tty, port, &priv->tmp_termios);
+
+ /* setup the port and start reading from the device */
+- if (!port->interrupt_in_urb) {
+- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
+- __func__);
+- return -1;
+- }
+-
+ usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
+ usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
+ port->interrupt_in_urb->transfer_buffer,
diff --git a/debian/patches/bugfix/all/usb-digi_acceleport-do-sanity-checking-for-the-numbe.patch b/debian/patches/bugfix/all/usb-digi_acceleport-do-sanity-checking-for-the-numbe.patch
new file mode 100644
index 0000000..e32181c
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-digi_acceleport-do-sanity-checking-for-the-numbe.patch
@@ -0,0 +1,49 @@
+From: Oliver Neukum <oneukum at suse.com>
+Date: Thu, 31 Mar 2016 12:04:26 -0400
+Subject: USB: digi_acceleport: do sanity checking for the number of ports
+Origin: https://git.kernel.org/linus/5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f
+
+The driver can be crashed with devices that expose crafted descriptors
+with too few endpoints.
+
+See: http://seclists.org/bugtraq/2016/Mar/61
+
+Signed-off-by: Oliver Neukum <ONeukum at suse.com>
+[johan: fix OOB endpoint check and add error messages ]
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/usb/serial/digi_acceleport.c
++++ b/drivers/usb/serial/digi_acceleport.c
+@@ -1252,8 +1252,27 @@ static int digi_port_init(struct usb_ser
+
+ static int digi_startup(struct usb_serial *serial)
+ {
++ struct device *dev = &serial->interface->dev;
+ struct digi_serial *serial_priv;
+ int ret;
++ int i;
++
++ /* check whether the device has the expected number of endpoints */
++ if (serial->num_port_pointers < serial->type->num_ports + 1) {
++ dev_err(dev, "OOB endpoints missing\n");
++ return -ENODEV;
++ }
++
++ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
++ if (!serial->port[i]->read_urb) {
++ dev_err(dev, "bulk-in endpoint missing\n");
++ return -ENODEV;
++ }
++ if (!serial->port[i]->write_urb) {
++ dev_err(dev, "bulk-out endpoint missing\n");
++ return -ENODEV;
++ }
++ }
+
+ serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
+ if (!serial_priv)
diff --git a/debian/patches/bugfix/all/usb-mct_u232-add-sanity-checking-in-probe.patch b/debian/patches/bugfix/all/usb-mct_u232-add-sanity-checking-in-probe.patch
new file mode 100644
index 0000000..7427d09
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-mct_u232-add-sanity-checking-in-probe.patch
@@ -0,0 +1,46 @@
+From: Oliver Neukum <oneukum at suse.com>
+Date: Thu, 31 Mar 2016 12:04:24 -0400
+Subject: USB: mct_u232: add sanity checking in probe
+Origin: https://git.kernel.org/linus/4e9a0b05257f29cf4b75f3209243ed71614d062e
+
+An attack using the lack of sanity checking in probe is known. This
+patch checks for the existence of a second port.
+
+CVE-2016-3136
+
+Signed-off-by: Oliver Neukum <ONeukum at suse.com>
+CC: stable at vger.kernel.org
+[johan: add error message ]
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/serial/mct_u232.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 4446b8d70ac2..885655315de1 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -376,14 +376,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port,
+
+ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
++ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
+
++ /* check first to simplify error handling */
++ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
++ dev_err(&port->dev, "expected endpoint missing\n");
++ return -ENODEV;
++ }
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
+ /* Use second interrupt-in endpoint for reading. */
+- priv->read_urb = port->serial->port[1]->interrupt_in_urb;
++ priv->read_urb = serial->port[1]->interrupt_in_urb;
+ priv->read_urb->context = port;
+
+ spin_lock_init(&priv->lock);
diff --git a/debian/patches/series b/debian/patches/series
index d1a72b8..85c3752 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -686,3 +686,13 @@ bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch
+bugfix/all/input-aiptek-fix-crash-on-detecting-device-without-e.patch
+bugfix/all/alsa-usb-audio-fix-null-dereference-in-create_fixed_.patch
+bugfix/all/alsa-usb-audio-add-sanity-checks-for-endpoint-access.patch
+bugfix/all/input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
+bugfix/all/input-powermate-fix-oops-with-malicious-usb-descript.patch
+bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch
+bugfix/all/usb-mct_u232-add-sanity-checking-in-probe.patch
+bugfix/all/usb-cypress_m8-add-endpoint-sanity-check.patch
+bugfix/all/usb-cdc-acm-more-sanity-checking.patch
+bugfix/all/usb-digi_acceleport-do-sanity-checking-for-the-numbe.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list