CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
This commit is contained in:
Josh Boyer
parent
e1aff3fede
commit
a01e1aa804
|
|
@ -641,6 +641,9 @@ Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
|
|||
#CVE-2016-2187 rhbz 1317017 1317010
|
||||
Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
|
||||
|
||||
#CVE-2016-3136 rhbz 1317007 1317010
|
||||
Patch687: mct_u232-sanity-checking-in-probe.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2164,6 +2167,7 @@ fi
|
|||
#
|
||||
%changelog
|
||||
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
|
||||
- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
|
||||
|
||||
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git19.1
|
||||
|
|
|
|||
|
|
@ -0,0 +1,35 @@
|
|||
Subject: [PATCH v2] mct_u232: sanity checking in probe
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: 2016-03-21 13:14:37
|
||||
|
||||
An attack using the lack of sanity checking in probe
|
||||
is known. This patch checks for the existance of a
|
||||
second port.
|
||||
CVE-2016-3136
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
|
||||
v1 - add sanity check for presence of a second port
|
||||
v2 - add sanity check for an interrupt endpoint
|
||||
---
|
||||
drivers/usb/serial/mct_u232.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
|
||||
index 4446b8d..3e64538 100644
|
||||
--- a/drivers/usb/serial/mct_u232.c
|
||||
+++ b/drivers/usb/serial/mct_u232.c
|
||||
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
|
||||
{
|
||||
struct mct_u232_private *priv;
|
||||
|
||||
+ /* check first to simplify error handling */
|
||||
+ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
||||
if (!priv)
|
||||
return -ENOMEM;
|
||||
--
|
||||
2.1.4
|
||||
Loading…
Reference in New Issue