CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
This commit is contained in:
Josh Boyer
parent
4c948d6d0b
commit
89cc46c010
|
|
@ -0,0 +1,40 @@
|
|||
From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 14 Mar 2016 10:38:31 -0400
|
||||
Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors
|
||||
|
||||
The iowarrior driver expects at least one valid endpoint. If given
|
||||
malicious descriptors that specify 0 for the number of endpoints,
|
||||
it will crash in the probe function. Ensure there is at least
|
||||
one endpoint on the interface before using it.
|
||||
|
||||
The full report of this issue can be found here:
|
||||
http://seclists.org/bugtraq/2016/Mar/87
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/usb/misc/iowarrior.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
|
||||
index c6bfd13f6c92..1950e87b4219 100644
|
||||
--- a/drivers/usb/misc/iowarrior.c
|
||||
+++ b/drivers/usb/misc/iowarrior.c
|
||||
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
|
||||
iface_desc = interface->cur_altsetting;
|
||||
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
|
||||
|
||||
+ if (iface_desc->desc.bNumEndpoints < 1) {
|
||||
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
|
||||
+ retval = -EINVAL;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
/* set up the endpoint information */
|
||||
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
|
||||
endpoint = &iface_desc->endpoint[i].desc;
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
|
@ -637,6 +637,9 @@ Patch672: cypress_m8-add-sanity-checking.patch
|
|||
#CVE-2016-2186 rhbz 1317015 1317464
|
||||
Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
|
||||
|
||||
#CVE-2016-2188 rhbz 1317018 1317467
|
||||
Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2159,6 +2162,7 @@ fi
|
|||
#
|
||||
%changelog
|
||||
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
|
||||
- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
|
||||
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
|
||||
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
|
||||
|
|
|
|||
Loading…
Reference in New Issue