From d903d2103477ba62e1e3785ded8fb8b0e5565d2c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 1 Dec 2015 15:03:20 -0500 Subject: [PATCH] CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331) --- ...-crash-on-detecting-device-without-e.patch | 48 +++++++++++++++++++ kernel.spec | 4 ++ 2 files changed, 52 insertions(+) create mode 100644 Input-aiptek-fix-crash-on-detecting-device-without-e.patch diff --git a/Input-aiptek-fix-crash-on-detecting-device-without-e.patch b/Input-aiptek-fix-crash-on-detecting-device-without-e.patch new file mode 100644 index 000000000..19dbaa343 --- /dev/null +++ b/Input-aiptek-fix-crash-on-detecting-device-without-e.patch @@ -0,0 +1,48 @@ +From a0edc539fda3f0a4a271f47a0fcf79d1305c1444 Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Wed, 25 Nov 2015 16:31:35 +0100 +Subject: [PATCH] Input: aiptek: fix crash on detecting device without + endpoints + +The aiptek driver crashes in aiptek_probe() when a specially crafted usb device +without endpoints is detected. This fix adds a check that the device has proper +configuration expected by the driver. Also an error return value is changed to +more matching one in one of the error paths. + +Reported-by: Ralf Spenneberg +Signed-off-by: Vladis Dronov +--- + drivers/input/tablet/aiptek.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c +index e7f966da6efa..78c0732fbb57 100644 +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1819,6 +1819,15 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) + input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0); + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + ++ /* Verify that a device really has an endpoint ++ */ ++ if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_warn(&intf->dev, ++ "interface has %d endpoints, but must have minimum 1\n", ++ intf->altsetting[0].desc.bNumEndpoints); ++ err = -ENODEV; ++ goto fail3; ++ } + endpoint = &intf->altsetting[0].endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives +@@ -1861,6 +1870,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) + if (i == ARRAY_SIZE(speeds)) { + dev_info(&intf->dev, + "Aiptek tried all speeds, no sane response\n"); ++ err = -ENODEV; + goto fail3; + } + +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 1b8d7faae..283320b83 100644 --- a/kernel.spec +++ b/kernel.spec @@ -594,6 +594,9 @@ Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch #CVE-2015-7833 rhbz 1270158 1270160 Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch +#CVE-2015-7515 rhbz 1285326 1285331 +Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch + # END OF PATCH DEFINITIONS %endif @@ -2038,6 +2041,7 @@ fi # %changelog * Tue Dec 01 2015 Josh Boyer +- CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331) - CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160) * Tue Dec 01 2015 Laura Abbott - 4.4.0-0.rc3.git1.1