[linux] 01/01: USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Apr 19 18:02:59 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit 55ba112e829fddacfd6195cf9aa4c391e1696ea4
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 19 19:02:13 2017 +0100

    USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
---
 debian/changelog                                   |  1 +
 .../usb-iowarrior-fix-null-deref-at-probe.patch    | 52 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 54 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 49b24b3..e7a617b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -606,6 +606,7 @@ linux (3.16.43-1) UNRELEASED; urgency=medium
   * mm/mempolicy.c: fix error handling in set_mempolicy and mbind
     (CVE-2017-7616)
   * crypto: ahash - Fix EINPROGRESS notification callback (CVE-2017-7618)
+  * USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
 
   [ Salvatore Bonaccorso ]
   * sunrpc: fix refcounting problems with auth_gss messages.
diff --git a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
new file mode 100644
index 0000000..f662d55
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
@@ -0,0 +1,52 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Tue, 7 Mar 2017 16:11:03 +0100
+Subject: USB: iowarrior: fix NULL-deref at probe
+Origin: https://git.kernel.org/linus/b7321e81fc369abe353cf094d4f0dc2fe11ab95f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-2188
+
+Make sure to check for the required interrupt-in endpoint to avoid
+dereferencing a NULL-pointer should a malicious device lack such an
+endpoint.
+
+Note that a fairly recent change purported to fix this issue, but added
+an insufficient test on the number of endpoints only, a test which can
+now be removed.
+
+Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Cc: stable <stable at vger.kernel.org>	# 2.6.21
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/misc/iowarrior.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -787,12 +787,6 @@ static int iowarrior_probe(struct usb_in
+ 	iface_desc = interface->cur_altsetting;
+ 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ 
+-	if (iface_desc->desc.bNumEndpoints < 1) {
+-		dev_err(&interface->dev, "Invalid number of endpoints\n");
+-		retval = -EINVAL;
+-		goto error;
+-	}
+-
+ 	/* set up the endpoint information */
+ 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ 		endpoint = &iface_desc->endpoint[i].desc;
+@@ -803,6 +797,13 @@ static int iowarrior_probe(struct usb_in
+ 			/* this one will match for the IOWarrior56 only */
+ 			dev->int_out_endpoint = endpoint;
+ 	}
++
++	if (!dev->int_in_endpoint) {
++		dev_err(&interface->dev, "no interrupt-in endpoint found\n");
++		retval = -ENODEV;
++		goto error;
++	}
++
+ 	/* we have to check the report_size often, so remember it in the endianness suitable for our machine */
+ 	dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
+ 	if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
diff --git a/debian/patches/series b/debian/patches/series
index f1b1326..2836167 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -685,6 +685,7 @@ bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
 bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
 bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
+bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list