[linux] 06/08: USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Feb 21 03:08:33 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 1fecc8fad09829628bc525e06adb89be24cd08ab
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Feb 21 02:01:26 2017 +0000
USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
---
debian/changelog | 1 +
...-kl5kusb105-fix-line-state-error-handling.patch | 37 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 39 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 300b820..5a04f9b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,7 @@ linux (3.16.39-1+deb8u1) UNRELEASED; urgency=medium
* [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
* [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
* selinux: fix off-by-one in setprocattr (CVE-2017-2618)
+ * USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
-- Salvatore Bonaccorso <carnil at debian.org> Sat, 18 Feb 2017 18:26:58 +0100
diff --git a/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch b/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
new file mode 100644
index 0000000..bb224f3
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
@@ -0,0 +1,37 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Tue, 10 Jan 2017 12:05:37 +0100
+Subject: USB: serial: kl5kusb105: fix line-state error handling
+Origin: https://git.kernel.org/linus/146cc8a17a3b4996f6805ee5c080e7101277c410
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5549
+
+The current implementation failed to detect short transfers when
+attempting to read the line state, and also, to make things worse,
+logged the content of the uninitialised heap transfer buffer.
+
+Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable at vger.kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan at kernel.org>
+---
+ drivers/usb/serial/kl5kusb105.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/kl5kusb105.c
++++ b/drivers/usb/serial/kl5kusb105.c
+@@ -195,10 +195,11 @@ static int klsi_105_get_line_state(struc
+ status_buf, KLSI_STATUSBUF_LEN,
+ 10000
+ );
+- if (rc < 0)
+- dev_err(&port->dev, "Reading line status failed (error = %d)\n",
+- rc);
+- else {
++ if (rc != KLSI_STATUSBUF_LEN) {
++ dev_err(&port->dev, "reading line status failed: %d\n", rc);
++ if (rc >= 0)
++ rc = -EIO;
++ } else {
+ status = get_unaligned_le16(status_buf);
+
+ dev_info(&port->serial->dev->dev, "read status %x %x\n",
diff --git a/debian/patches/series b/debian/patches/series
index 4f5034e..b3df324 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -689,6 +689,7 @@ bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
+bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list