[linux] 06/07: USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Feb 21 21:40:58 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 3a1049ab42a29c6e4acea90c0128fe4ac05357dd
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Feb 21 21:19:30 2017 +0000
USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
---
debian/changelog | 1 +
...-kl5kusb105-fix-line-state-error-handling.patch | 37 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 39 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 9f22308..34fd6cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ linux (3.2.84-2) UNRELEASED; urgency=high
* lockdep: Silence warning if CONFIG_LOCKDEP isn't set
* perf: Fix event->ctx locking (CVE-2016-6786, CVE-2016-6787)
* fbdev: color map copying bounds checking (CVE-2016-8405)
+ * USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
-- Salvatore Bonaccorso <carnil at debian.org> Sat, 18 Feb 2017 18:26:58 +0100
diff --git a/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch b/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
new file mode 100644
index 0000000..81b5a69
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
@@ -0,0 +1,37 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Tue, 10 Jan 2017 12:05:37 +0100
+Subject: USB: serial: kl5kusb105: fix line-state error handling
+Origin: https://git.kernel.org/linus/146cc8a17a3b4996f6805ee5c080e7101277c410
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5549
+
+The current implementation failed to detect short transfers when
+attempting to read the line state, and also, to make things worse,
+logged the content of the uninitialised heap transfer buffer.
+
+Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable at vger.kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan at kernel.org>
+---
+ drivers/usb/serial/kl5kusb105.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/kl5kusb105.c
++++ b/drivers/usb/serial/kl5kusb105.c
+@@ -209,10 +209,11 @@ static int klsi_105_get_line_state(struc
+ status_buf, KLSI_STATUSBUF_LEN,
+ 10000
+ );
+- if (rc < 0)
+- dev_err(&port->dev, "Reading line status failed (error = %d)\n",
+- rc);
+- else {
++ if (rc != KLSI_STATUSBUF_LEN) {
++ dev_err(&port->dev, "reading line status failed: %d\n", rc);
++ if (rc >= 0)
++ rc = -EIO;
++ } else {
+ status = get_unaligned_le16(status_buf);
+
+ dev_info(&port->serial->dev->dev, "read status %x %x",
diff --git a/debian/patches/series b/debian/patches/series
index e574fa0..bc7bf4f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1133,6 +1133,7 @@ bugfix/all/perf-fix-perf_event_for_each-to-use-sibling.patch
bugfix/all/lockdep-silence-warning-if-config_lockdep-isn-t-set.patch
bugfix/all/perf-fix-event-ctx-locking.patch
bugfix/all/fbdev-color-map-copying-bounds-checking.patch
+bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list