CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331)
This commit is contained in:
Josh Boyer
parent
45bb62e168
commit
d903d21034
48
Input-aiptek-fix-crash-on-detecting-device-without-e.patch
Normal file
48
Input-aiptek-fix-crash-on-detecting-device-without-e.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From a0edc539fda3f0a4a271f47a0fcf79d1305c1444 Mon Sep 17 00:00:00 2001
|
||||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Wed, 25 Nov 2015 16:31:35 +0100
|
||||
Subject: [PATCH] Input: aiptek: fix crash on detecting device without
|
||||
endpoints
|
||||
|
||||
The aiptek driver crashes in aiptek_probe() when a specially crafted usb device
|
||||
without endpoints is detected. This fix adds a check that the device has proper
|
||||
configuration expected by the driver. Also an error return value is changed to
|
||||
more matching one in one of the error paths.
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
drivers/input/tablet/aiptek.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
|
||||
index e7f966da6efa..78c0732fbb57 100644
|
||||
--- a/drivers/input/tablet/aiptek.c
|
||||
+++ b/drivers/input/tablet/aiptek.c
|
||||
@@ -1819,6 +1819,15 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
|
||||
input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
|
||||
input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
|
||||
|
||||
+ /* Verify that a device really has an endpoint
|
||||
+ */
|
||||
+ if (intf->altsetting[0].desc.bNumEndpoints < 1) {
|
||||
+ dev_warn(&intf->dev,
|
||||
+ "interface has %d endpoints, but must have minimum 1\n",
|
||||
+ intf->altsetting[0].desc.bNumEndpoints);
|
||||
+ err = -ENODEV;
|
||||
+ goto fail3;
|
||||
+ }
|
||||
endpoint = &intf->altsetting[0].endpoint[0].desc;
|
||||
|
||||
/* Go set up our URB, which is called when the tablet receives
|
||||
@@ -1861,6 +1870,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
|
||||
if (i == ARRAY_SIZE(speeds)) {
|
||||
dev_info(&intf->dev,
|
||||
"Aiptek tried all speeds, no sane response\n");
|
||||
+ err = -ENODEV;
|
||||
goto fail3;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
||||
@ -594,6 +594,9 @@ Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch
|
||||
#CVE-2015-7833 rhbz 1270158 1270160
|
||||
Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch
|
||||
|
||||
#CVE-2015-7515 rhbz 1285326 1285331
|
||||
Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2038,6 +2041,7 @@ fi
|
||||
#
|
||||
%changelog
|
||||
* Tue Dec 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331)
|
||||
- CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160)
|
||||
|
||||
* Tue Dec 01 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc3.git1.1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user