[linux] 01/11: USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Apr 26 23:25:00 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 0756d74727490459efcd10e24004e046f6f942d0
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 26 22:26:43 2017 +0100

    USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
---
 debian/changelog                                   |  1 +
 .../usb-iowarrior-fix-null-deref-at-probe.patch    | 53 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 55 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index fc03fd2..ef6850d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ linux (3.2.86-2) UNRELEASED; urgency=medium
 
   * timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967)
   * l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (CVE-2016-10200)
+  * USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Mar 2017 23:12:35 +0000
 
diff --git a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
new file mode 100644
index 0000000..a880c1f
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
@@ -0,0 +1,53 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Tue, 7 Mar 2017 16:11:03 +0100
+Subject: USB: iowarrior: fix NULL-deref at probe
+Origin: https://git.kernel.org/linus/b7321e81fc369abe353cf094d4f0dc2fe11ab95f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-2188
+
+Make sure to check for the required interrupt-in endpoint to avoid
+dereferencing a NULL-pointer should a malicious device lack such an
+endpoint.
+
+Note that a fairly recent change purported to fix this issue, but added
+an insufficient test on the number of endpoints only, a test which can
+now be removed.
+
+Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Cc: stable <stable at vger.kernel.org>	# 2.6.21
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+[bwh: Backported to 3.2: adjust context]
+---
+ drivers/usb/misc/iowarrior.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -792,12 +792,6 @@ static int iowarrior_probe(struct usb_in
+ 	iface_desc = interface->cur_altsetting;
+ 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ 
+-	if (iface_desc->desc.bNumEndpoints < 1) {
+-		dev_err(&interface->dev, "Invalid number of endpoints\n");
+-		retval = -EINVAL;
+-		goto error;
+-	}
+-
+ 	/* set up the endpoint information */
+ 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ 		endpoint = &iface_desc->endpoint[i].desc;
+@@ -808,6 +802,13 @@ static int iowarrior_probe(struct usb_in
+ 			/* this one will match for the IOWarrior56 only */
+ 			dev->int_out_endpoint = endpoint;
+ 	}
++
++	if (!dev->int_in_endpoint) {
++		dev_err(&interface->dev, "no interrupt-in endpoint found\n");
++		retval = -ENODEV;
++		goto error;
++	}
++
+ 	/* we have to check the report_size often, so remember it in the endianess suitable for our machine */
+ 	dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
+ 	if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
diff --git a/debian/patches/series b/debian/patches/series
index 6a4cd5c..76021ef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1118,6 +1118,7 @@ features/all/list-introduce-list_first_entry_or_null.patch
 bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch
 bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
 bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch
+bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list