CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204)

cdc-acm-more-sanity-checking.patch

@@ -0,0 +1,33 @@
+From e6a87f147002fa16adcbafebbc458ff90a463474 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 15 Mar 2016 10:14:04 +0100
+Subject: [PATCH] cdc-acm: more sanity checking
+
+An attack has become available which pretends to be a quirky
+device circumventing normal sanity checks and crashes the kernel
+by an insufficient number of interfaces. This patch adds a check
+to the code path for quirky devices.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 26ca4f910cb0..a7732f80a912 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1113,6 +1113,9 @@ static int acm_probe(struct usb_interface *intf,
+ 	if (quirks == NO_UNION_NORMAL) {
+ 		data_interface = usb_ifnum_to_if(usb_dev, 1);
+ 		control_interface = usb_ifnum_to_if(usb_dev, 0);
++		/* we would crash */
++		if (!data_interface || !control_interface)
++			return -ENODEV;
+ 		goto skip_normal_probe;
+ 	}
+ 
+-- 
+2.5.0
+

kernel.spec

@@ -643,6 +643,9 @@ Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
 #CVE-2016-2185 rhbz 1317014 1317471
 Patch675: usb_driver_claim_interface-add-sanity-checking.patch
 
+#CVE-2016-3138 rhbz 1317010 1316204
+Patch676: cdc-acm-more-sanity-checking.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2165,6 +2168,7 @@ fi
 # 
 %changelog
 * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204)
 - CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)
 - CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
 - CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)