CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
This commit is contained in:
Josh Boyer
parent
62042830a6
commit
4c948d6d0b
38
USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
Normal file
38
USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 14 Mar 2016 10:02:51 -0400
|
||||
Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
|
||||
descriptors
|
||||
|
||||
The powermate driver expects at least one valid USB endpoint in its
|
||||
probe function. If given malicious descriptors that specify 0 for
|
||||
the number of endpoints, it will crash. Validate the number of
|
||||
endpoints on the interface before using them.
|
||||
|
||||
The full report for this issue can be found here:
|
||||
http://seclists.org/bugtraq/2016/Mar/85
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/input/misc/powermate.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
|
||||
index 63b539d3daba..84909a12ff36 100644
|
||||
--- a/drivers/input/misc/powermate.c
|
||||
+++ b/drivers/input/misc/powermate.c
|
||||
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
|
||||
int error = -ENOMEM;
|
||||
|
||||
interface = intf->cur_altsetting;
|
||||
+ if (interface->desc.bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
endpoint = &interface->endpoint[0].desc;
|
||||
if (!usb_endpoint_is_int_in(endpoint))
|
||||
return -EIO;
|
||||
--
|
||||
2.5.0
|
||||
|
||||
@ -634,6 +634,9 @@ Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
|
||||
#CVE-2016-3137 rhbz 1317010 1316996
|
||||
Patch672: cypress_m8-add-sanity-checking.patch
|
||||
|
||||
#CVE-2016-2186 rhbz 1317015 1317464
|
||||
Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2156,6 +2159,7 @@ fi
|
||||
#
|
||||
%changelog
|
||||
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
|
||||
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
|
||||
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user