diff --git a/input-gtco-fix-crash-on-detecting-device-without-end.patch b/input-gtco-fix-crash-on-detecting-device-without-end.patch new file mode 100644 index 000000000..849f607a5 --- /dev/null +++ b/input-gtco-fix-crash-on-detecting-device-without-end.patch @@ -0,0 +1,49 @@ +Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints +From: Vladis Dronov +Date: 2016-03-18 18:35:00 + +The gtco driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. Fix minor coding +style issue. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/86 + +Reported-by: Ralf Spenneberg +Signed-off-by: Vladis Dronov +--- + drivers/input/tablet/gtco.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 3a7f3a4..7c18249 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; +-- +2.5.0 diff --git a/kernel.spec b/kernel.spec index c8b51ee2d..8b279cffc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -638,6 +638,9 @@ Patch684: thermal-fix.patch #rhbz 1318079 Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch +#CVE-2016-2187 rhbz 1317017 1317010 +Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch + # END OF PATCH DEFINITIONS %endif @@ -2160,6 +2163,9 @@ fi # # %changelog +* Tue Mar 22 2016 Josh Boyer +- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010) + * Tue Mar 22 2016 Josh Boyer - 4.6.0-0.rc0.git19.1 - Linux v4.5-11118-g968f3e374faf - btrfs, mmc, md merges