Fix CVE-2017-16532 and CVE-2017-16538
This commit is contained in:
parent
b11936fbe1
commit
677b35776d
|
@ -0,0 +1,41 @@
|
|||
From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Stern <stern@rowland.harvard.edu>
|
||||
Date: Fri, 29 Sep 2017 10:54:24 -0400
|
||||
Subject: [PATCH] usb: usbtest: fix NULL pointer dereference
|
||||
|
||||
If the usbtest driver encounters a device with an IN bulk endpoint but
|
||||
no OUT bulk endpoint, it will try to dereference a NULL pointer
|
||||
(out->desc.bEndpointAddress). The problem can be solved by adding a
|
||||
missing test.
|
||||
|
||||
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|
||||
---
|
||||
drivers/usb/misc/usbtest.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
|
||||
index 113e38bfe0ef..b3fc602b2e24 100644
|
||||
--- a/drivers/usb/misc/usbtest.c
|
||||
+++ b/drivers/usb/misc/usbtest.c
|
||||
@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf)
|
||||
return tmp;
|
||||
}
|
||||
|
||||
- if (in) {
|
||||
+ if (in)
|
||||
dev->in_pipe = usb_rcvbulkpipe(udev,
|
||||
in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
|
||||
+ if (out)
|
||||
dev->out_pipe = usb_sndbulkpipe(udev,
|
||||
out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
|
||||
- }
|
||||
+
|
||||
if (iso_in) {
|
||||
dev->iso_in = &iso_in->desc;
|
||||
dev->in_iso_pipe = usb_rcvisocpipe(udev,
|
||||
--
|
||||
2.13.6
|
||||
|
|
@ -0,0 +1,166 @@
|
|||
From patchwork Tue Sep 26 21:10:20 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
|
||||
start.
|
||||
From: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
X-Patchwork-Id: 44566
|
||||
Message-Id: <20170926211021.11036-1-tvboxspy@gmail.com>
|
||||
To: linux-media@vger.kernel.org
|
||||
Cc: Andrey Konovalov <andreyknvl@google.com>,
|
||||
Malcolm Priestley <tvboxspy@gmail.com>
|
||||
Date: Tue, 26 Sep 2017 22:10:20 +0100
|
||||
|
||||
Warm start has no check as whether a genuine device has
|
||||
connected and proceeds to next execution path.
|
||||
|
||||
Check device should read 0x47 at offset of 2 on USB descriptor read
|
||||
and it is the amount requested of 6 bytes.
|
||||
|
||||
Fix for
|
||||
kasan: CONFIG_KASAN_INLINE enabled
|
||||
kasan: GPF could be caused by NULL-ptr deref or user memory access as
|
||||
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
---
|
||||
drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
index 5e320fa4a795..992f2011a6ba 100644
|
||||
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
|
||||
|
||||
static int lme2510_return_status(struct dvb_usb_device *d)
|
||||
{
|
||||
- int ret = 0;
|
||||
+ int ret;
|
||||
u8 *data;
|
||||
|
||||
- data = kzalloc(10, GFP_KERNEL);
|
||||
+ data = kzalloc(6, GFP_KERNEL);
|
||||
if (!data)
|
||||
return -ENOMEM;
|
||||
|
||||
- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
|
||||
- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
|
||||
- info("Firmware Status: %x (%x)", ret , data[2]);
|
||||
+ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
|
||||
+ 0x06, 0x80, 0x0302, 0x00,
|
||||
+ data, 0x6, 200);
|
||||
+ if (ret != 6)
|
||||
+ ret = -EINVAL;
|
||||
+ else
|
||||
+ ret = data[2];
|
||||
+
|
||||
+ info("Firmware Status: %6ph", data);
|
||||
|
||||
- ret = (ret < 0) ? -ENODEV : data[2];
|
||||
kfree(data);
|
||||
return ret;
|
||||
}
|
||||
@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d)
|
||||
static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
|
||||
{
|
||||
struct lme2510_state *st = d->priv;
|
||||
+ int status;
|
||||
|
||||
usb_reset_configuration(d->udev);
|
||||
|
||||
@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
|
||||
|
||||
st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
|
||||
|
||||
- if (lme2510_return_status(d) == 0x44) {
|
||||
+ status = lme2510_return_status(d);
|
||||
+ if (status == 0x44) {
|
||||
*name = lme_firmware_switch(d, 0);
|
||||
return COLD;
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ if (status != 0x47)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ return WARM;
|
||||
}
|
||||
|
||||
static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
|
||||
From patchwork Tue Sep 26 21:10:21 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to
|
||||
dm04_lme2510_tuner
|
||||
From: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
X-Patchwork-Id: 44567
|
||||
Message-Id: <20170926211021.11036-2-tvboxspy@gmail.com>
|
||||
To: linux-media@vger.kernel.org
|
||||
Cc: Andrey Konovalov <andreyknvl@google.com>,
|
||||
Malcolm Priestley <tvboxspy@gmail.com>
|
||||
Date: Tue, 26 Sep 2017 22:10:21 +0100
|
||||
|
||||
When the tuner was split from m88rs2000 the attach function is in wrong
|
||||
place.
|
||||
|
||||
Move to dm04_lme2510_tuner to trap errors on failure and removing
|
||||
a call to lme_coldreset.
|
||||
|
||||
Prevents driver starting up without any tuner connected.
|
||||
|
||||
Fixes to trap for ts2020 fail.
|
||||
LME2510(C): FE Found M88RS2000
|
||||
ts2020: probe of 0-0060 failed with error -11
|
||||
...
|
||||
LME2510(C): TUN Found RS2000 tuner
|
||||
kasan: CONFIG_KASAN_INLINE enabled
|
||||
kasan: GPF could be caused by NULL-ptr deref or user memory access
|
||||
general protection fault: 0000 [#1] PREEMPT SMP KASAN
|
||||
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
---
|
||||
drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
|
||||
1 file changed, 6 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
index 992f2011a6ba..be26c029546b 100644
|
||||
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap)
|
||||
|
||||
if (adap->fe[0]) {
|
||||
info("FE Found M88RS2000");
|
||||
- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
|
||||
- &d->i2c_adap);
|
||||
st->i2c_tuner_gate_w = 5;
|
||||
st->i2c_tuner_gate_r = 5;
|
||||
st->i2c_tuner_addr = 0x60;
|
||||
@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap)
|
||||
ret = st->tuner_config;
|
||||
break;
|
||||
case TUNER_RS2000:
|
||||
- ret = st->tuner_config;
|
||||
+ if (dvb_attach(ts2020_attach, adap->fe[0],
|
||||
+ &ts2020_config, &d->i2c_adap))
|
||||
+ ret = st->tuner_config;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
- if (ret)
|
||||
+ if (ret) {
|
||||
info("TUN Found %s tuner", tun_msg[ret]);
|
||||
- else {
|
||||
- info("TUN No tuner found --- resetting device");
|
||||
- lme_coldreset(d);
|
||||
+ } else {
|
||||
+ info("TUN No tuner found");
|
||||
return -ENODEV;
|
||||
}
|
||||
|
10
kernel.spec
10
kernel.spec
|
@ -694,6 +694,12 @@ Patch636: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
|
|||
# rhbz 1490803
|
||||
Patch637: 1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch
|
||||
|
||||
# CVE-2017-16532 rhbz 1510835 1510854
|
||||
Patch638: 0001-usb-usbtest-fix-NULL-pointer-dereference.patch
|
||||
|
||||
# CVE-2017-16538 rhbz 1510826 1510854
|
||||
Patch639: CVE-2017-16538.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2268,6 +2274,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Nov 08 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2017-16532 (rhbz 1510835 1510854)
|
||||
- Fix CVE-2017-16538 (rhbz 1510826 1510854)
|
||||
|
||||
* Mon Nov 06 2017 Laura Abbott <labbott@redhat.com>
|
||||
- Patches for ThinkPad X1 Carbon Gen5 Touchpad (rhbz 1509461)
|
||||
- Fix for KVM regression on some machines (rhbz 1490803)
|
||||
|
|
Loading…
Reference in New Issue