[linux] 01/01: USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Apr 19 18:02:59 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 55ba112e829fddacfd6195cf9aa4c391e1696ea4
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Apr 19 19:02:13 2017 +0100
USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
---
debian/changelog | 1 +
.../usb-iowarrior-fix-null-deref-at-probe.patch | 52 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 54 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 49b24b3..e7a617b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -606,6 +606,7 @@ linux (3.16.43-1) UNRELEASED; urgency=medium
* mm/mempolicy.c: fix error handling in set_mempolicy and mbind
(CVE-2017-7616)
* crypto: ahash - Fix EINPROGRESS notification callback (CVE-2017-7618)
+ * USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
[ Salvatore Bonaccorso ]
* sunrpc: fix refcounting problems with auth_gss messages.
diff --git a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
new file mode 100644
index 0000000..f662d55
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
@@ -0,0 +1,52 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Tue, 7 Mar 2017 16:11:03 +0100
+Subject: USB: iowarrior: fix NULL-deref at probe
+Origin: https://git.kernel.org/linus/b7321e81fc369abe353cf094d4f0dc2fe11ab95f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-2188
+
+Make sure to check for the required interrupt-in endpoint to avoid
+dereferencing a NULL-pointer should a malicious device lack such an
+endpoint.
+
+Note that a fairly recent change purported to fix this issue, but added
+an insufficient test on the number of endpoints only, a test which can
+now be removed.
+
+Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Cc: stable <stable at vger.kernel.org> # 2.6.21
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/misc/iowarrior.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -787,12 +787,6 @@ static int iowarrior_probe(struct usb_in
+ iface_desc = interface->cur_altsetting;
+ dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+
+- if (iface_desc->desc.bNumEndpoints < 1) {
+- dev_err(&interface->dev, "Invalid number of endpoints\n");
+- retval = -EINVAL;
+- goto error;
+- }
+-
+ /* set up the endpoint information */
+ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ endpoint = &iface_desc->endpoint[i].desc;
+@@ -803,6 +797,13 @@ static int iowarrior_probe(struct usb_in
+ /* this one will match for the IOWarrior56 only */
+ dev->int_out_endpoint = endpoint;
+ }
++
++ if (!dev->int_in_endpoint) {
++ dev_err(&interface->dev, "no interrupt-in endpoint found\n");
++ retval = -ENODEV;
++ goto error;
++ }
++
+ /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
+ dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
+ if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
diff --git a/debian/patches/series b/debian/patches/series
index f1b1326..2836167 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -685,6 +685,7 @@ bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
+bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list