CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)

This commit is contained in:
Josh Boyer 2016-03-18 10:32:05 -04:00
parent 62042830a6
commit 4c948d6d0b
2 changed files with 42 additions and 0 deletions

View File

@ -0,0 +1,38 @@
From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 14 Mar 2016 10:02:51 -0400
Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
descriptors
The powermate driver expects at least one valid USB endpoint in its
probe function. If given malicious descriptors that specify 0 for
the number of endpoints, it will crash. Validate the number of
endpoints on the interface before using them.
The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
drivers/input/misc/powermate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
index 63b539d3daba..84909a12ff36 100644
--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
int error = -ENOMEM;
interface = intf->cur_altsetting;
+ if (interface->desc.bNumEndpoints < 1)
+ return -EINVAL;
+
endpoint = &interface->endpoint[0].desc;
if (!usb_endpoint_is_int_in(endpoint))
return -EIO;
--
2.5.0

View File

@ -634,6 +634,9 @@ Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
#CVE-2016-3137 rhbz 1317010 1316996
Patch672: cypress_m8-add-sanity-checking.patch
#CVE-2016-2186 rhbz 1317015 1317464
Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
# END OF PATCH DEFINITIONS
%endif
@ -2156,6 +2159,7 @@ fi
#
%changelog
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)