ngompa/kernel-rpm
1
0
Fork 0
forked from rpms/kernel
Code Pull Requests Activity

CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331)

Browse Source
This commit is contained in:
Josh Boyer 2015-12-01 15:03:20 -05:00
parent 45bb62e168
commit d903d21034
2 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Input-aiptek-fix-crash-on-detecting-device-without-e.patch Normal file
View File

@ -0,0 +1,48 @@
From a0edc539fda3f0a4a271f47a0fcf79d1305c1444 Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Wed, 25 Nov 2015 16:31:35 +0100
Subject: [PATCH] Input: aiptek: fix crash on detecting device without
endpoints
The aiptek driver crashes in aiptek_probe() when a specially crafted usb device
without endpoints is detected. This fix adds a check that the device has proper
configuration expected by the driver. Also an error return value is changed to
more matching one in one of the error paths.
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
drivers/input/tablet/aiptek.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
index e7f966da6efa..78c0732fbb57 100644
--- a/drivers/input/tablet/aiptek.c
+++ b/drivers/input/tablet/aiptek.c
@@ -1819,6 +1819,15 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+ /* Verify that a device really has an endpoint
+ */
+ if (intf->altsetting[0].desc.bNumEndpoints < 1) {
+ dev_warn(&intf->dev,
+ "interface has %d endpoints, but must have minimum 1\n",
+ intf->altsetting[0].desc.bNumEndpoints);
+ err = -ENODEV;
+ goto fail3;
+ }
endpoint = &intf->altsetting[0].endpoint[0].desc;
/* Go set up our URB, which is called when the tablet receives
@@ -1861,6 +1870,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
if (i == ARRAY_SIZE(speeds)) {
dev_info(&intf->dev,
"Aiptek tried all speeds, no sane response\n");
+ err = -ENODEV;
goto fail3;
}
--
2.5.0

4
kernel.spec
View File

@ -594,6 +594,9 @@ Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch
#CVE-2015-7833 rhbz 1270158 1270160 #CVE-2015-7833 rhbz 1270158 1270160
Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch
#CVE-2015-7515 rhbz 1285326 1285331
Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -2038,6 +2041,7 @@ fi
# #
%changelog %changelog
* Tue Dec 01 2015 Josh Boyer <jwboyer@fedoraproject.org> * Tue Dec 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331)
- CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160) - CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160)
* Tue Dec 01 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc3.git1.1 * Tue Dec 01 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc3.git1.1