forked from rpms/kernel
CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
This commit is contained in:
Josh Boyer
parent
12fb1ce4b0
commit
e1aff3fede
49
input-gtco-fix-crash-on-detecting-device-without-end.patch
Normal file
49
input-gtco-fix-crash-on-detecting-device-without-end.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints
|
||||||
|
From: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
Date: 2016-03-18 18:35:00
|
||||||
|
|
||||||
|
The gtco driver expects at least one valid endpoint. If given
|
||||||
|
malicious descriptors that specify 0 for the number of endpoints,
|
||||||
|
it will crash in the probe function. Ensure there is at least
|
||||||
|
one endpoint on the interface before using it. Fix minor coding
|
||||||
|
style issue.
|
||||||
|
|
||||||
|
The full report of this issue can be found here:
|
||||||
|
http://seclists.org/bugtraq/2016/Mar/86
|
||||||
|
|
||||||
|
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||||
|
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
---
|
||||||
|
drivers/input/tablet/gtco.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
|
||||||
|
index 3a7f3a4..7c18249 100644
|
||||||
|
--- a/drivers/input/tablet/gtco.c
|
||||||
|
+++ b/drivers/input/tablet/gtco.c
|
||||||
|
@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
||||||
|
goto err_free_buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Sanity check that a device has an endpoint */
|
||||||
|
+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
|
||||||
|
+ dev_err(&usbinterface->dev,
|
||||||
|
+ "Invalid number of endpoints\n");
|
||||||
|
+ error = -EINVAL;
|
||||||
|
+ goto err_free_urb;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* The endpoint is always altsetting 0, we know this since we know
|
||||||
|
* this device only has one interrupt endpoint
|
||||||
|
@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
||||||
|
* HID report descriptor
|
||||||
|
*/
|
||||||
|
if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
|
||||||
|
- HID_DEVICE_TYPE, &hid_desc) != 0){
|
||||||
|
+ HID_DEVICE_TYPE, &hid_desc) != 0) {
|
||||||
|
dev_err(&usbinterface->dev,
|
||||||
|
"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
|
||||||
|
error = -EIO;
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
@ -638,6 +638,9 @@ Patch684: thermal-fix.patch
|
|||||||
#rhbz 1318079
|
#rhbz 1318079
|
||||||
Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
|
Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
|
||||||
|
|
||||||
|
#CVE-2016-2187 rhbz 1317017 1317010
|
||||||
|
Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2160,6 +2163,9 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
|
||||||
|
|
||||||
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git19.1
|
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git19.1
|
||||||
- Linux v4.5-11118-g968f3e374faf
|
- Linux v4.5-11118-g968f3e374faf
|
||||||
- btrfs, mmc, md merges
|
- btrfs, mmc, md merges
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user