CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)

2016-03-18 10:32:05 -04:00 · 2016-03-18 10:32:05 -04:00 · 4c948d6d0b
parent 62042830a6
commit 4c948d6d0b
2 changed files with 42 additions and 0 deletions
--- a/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
+++ b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
@ -0,0 +1,38 @@
+From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 10:02:51 -0400
+Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
+ descriptors
+
+The powermate driver expects at least one valid USB endpoint in its
+probe function.  If given malicious descriptors that specify 0 for
+the number of endpoints, it will crash.  Validate the number of
+endpoints on the interface before using them.
+
+The full report for this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/85
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/input/misc/powermate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
+index 63b539d3daba..84909a12ff36 100644
+--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
+@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
+ 	int error = -ENOMEM;
+ 
+ 	interface = intf->cur_altsetting;
+	if (interface->desc.bNumEndpoints < 1)
+		return -EINVAL;
+
+ 	endpoint = &interface->endpoint[0].desc;
+ 	if (!usb_endpoint_is_int_in(endpoint))
+ 		return -EIO;
+-- 
+2.5.0
+
--- a/kernel.spec
+++ b/kernel.spec
@ -634,6 +634,9 @@ Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
 #CVE-2016-3137 rhbz 1317010 1316996
 Patch672: cypress_m8-add-sanity-checking.patch

+#CVE-2016-2186 rhbz 1317015 1317464
+Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -2156,6 +2159,7 @@ fi
 # 
 %changelog
 * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
 - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
 - CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)