CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
This commit is contained in:
Josh Boyer
parent
d6943d1d0b
commit
62042830a6
50
cypress_m8-add-sanity-checking.patch
Normal file
50
cypress_m8-add-sanity-checking.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Thu, 17 Mar 2016 16:25:33 +0100
|
||||
Subject: [PATCH] cypress_m8: add sanity checking
|
||||
|
||||
An attack using missing endpoints exists.
|
||||
CVE-2016-3137
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
|
||||
v1 - add sanity check
|
||||
v2 - add error logging
|
||||
v3 - correct error message
|
||||
---
|
||||
drivers/usb/serial/cypress_m8.c | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
|
||||
index 01bf53392819..5e25443fe4ef 100644
|
||||
--- a/drivers/usb/serial/cypress_m8.c
|
||||
+++ b/drivers/usb/serial/cypress_m8.c
|
||||
@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
|
||||
struct usb_serial *serial = port->serial;
|
||||
struct cypress_private *priv;
|
||||
|
||||
+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
|
||||
+ dev_err(&port->dev, "A required endpoint is missing\n");
|
||||
+ return -ENODEV;
|
||||
+ }
|
||||
+
|
||||
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
|
||||
if (!priv)
|
||||
return -ENOMEM;
|
||||
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
|
||||
cypress_set_termios(tty, port, &priv->tmp_termios);
|
||||
|
||||
/* setup the port and start reading from the device */
|
||||
- if (!port->interrupt_in_urb) {
|
||||
- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
|
||||
- __func__);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
|
||||
usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
|
||||
port->interrupt_in_urb->transfer_buffer,
|
||||
--
|
||||
2.5.0
|
||||
|
||||
@ -631,6 +631,9 @@ Patch668: x86-tsc-Prevent-NULL-pointer-deref-in-calibrate_dela.patch
|
||||
Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
|
||||
Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
|
||||
|
||||
#CVE-2016-3137 rhbz 1317010 1316996
|
||||
Patch672: cypress_m8-add-sanity-checking.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2153,6 +2156,7 @@ fi
|
||||
#
|
||||
%changelog
|
||||
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
|
||||
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
|
||||
|
||||
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git8.1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user