Add another patch for CVE-2016-2185
This commit is contained in:
parent
62d5948052
commit
4d5b4fb36b
107
Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
Normal file
107
Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
From 0f8536022831faaba3a952fa633902d9686f535f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
Date: Wed, 23 Mar 2016 15:53:07 -0400
|
||||||
|
Subject: [PATCH] Input: ati_remote2: fix crashes on detecting device with
|
||||||
|
invalid descriptor
|
||||||
|
|
||||||
|
The ati_remote2 driver expects at least two interfaces with one
|
||||||
|
endpoint each. If given malicious descriptor that specify one
|
||||||
|
interface or no endpoints, it will crash in the probe function.
|
||||||
|
Ensure there is at least two interfaces and one endpoint for each
|
||||||
|
interface before using it.
|
||||||
|
|
||||||
|
The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
|
||||||
|
|
||||||
|
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||||
|
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
---
|
||||||
|
drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
|
||||||
|
1 file changed, 30 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
|
||||||
|
index cfd58e87da26..cf5d1e8d92c7 100644
|
||||||
|
--- a/drivers/input/misc/ati_remote2.c
|
||||||
|
+++ b/drivers/input/misc/ati_remote2.c
|
||||||
|
@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
|
||||||
|
|
||||||
|
ar2->udev = udev;
|
||||||
|
|
||||||
|
+ /* Sanity check, first interface must have an endpoint */
|
||||||
|
+ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
|
||||||
|
+ dev_err(&interface->dev,
|
||||||
|
+ "%s(): interface 0 must have an endpoint\n", __func__);
|
||||||
|
+ r = -ENODEV;
|
||||||
|
+ goto fail1;
|
||||||
|
+ }
|
||||||
|
ar2->intf[0] = interface;
|
||||||
|
ar2->ep[0] = &alt->endpoint[0].desc;
|
||||||
|
|
||||||
|
+ /* Sanity check, the device must have two interfaces */
|
||||||
|
ar2->intf[1] = usb_ifnum_to_if(udev, 1);
|
||||||
|
+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
|
||||||
|
+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
|
||||||
|
+ __func__, udev->actconfig->desc.bNumInterfaces);
|
||||||
|
+ r = -ENODEV;
|
||||||
|
+ goto fail1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
|
||||||
|
if (r)
|
||||||
|
goto fail1;
|
||||||
|
+
|
||||||
|
+ /* Sanity check, second interface must have an endpoint */
|
||||||
|
alt = ar2->intf[1]->cur_altsetting;
|
||||||
|
+ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
|
||||||
|
+ dev_err(&interface->dev,
|
||||||
|
+ "%s(): interface 1 must have an endpoint\n", __func__);
|
||||||
|
+ r = -ENODEV;
|
||||||
|
+ goto fail2;
|
||||||
|
+ }
|
||||||
|
ar2->ep[1] = &alt->endpoint[0].desc;
|
||||||
|
|
||||||
|
r = ati_remote2_urb_init(ar2);
|
||||||
|
if (r)
|
||||||
|
- goto fail2;
|
||||||
|
+ goto fail3;
|
||||||
|
|
||||||
|
ar2->channel_mask = channel_mask;
|
||||||
|
ar2->mode_mask = mode_mask;
|
||||||
|
|
||||||
|
r = ati_remote2_setup(ar2, ar2->channel_mask);
|
||||||
|
if (r)
|
||||||
|
- goto fail2;
|
||||||
|
+ goto fail3;
|
||||||
|
|
||||||
|
usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
|
||||||
|
strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
|
||||||
|
@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
|
||||||
|
|
||||||
|
r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
|
||||||
|
if (r)
|
||||||
|
- goto fail2;
|
||||||
|
+ goto fail3;
|
||||||
|
|
||||||
|
r = ati_remote2_input_init(ar2);
|
||||||
|
if (r)
|
||||||
|
- goto fail3;
|
||||||
|
+ goto fail4;
|
||||||
|
|
||||||
|
usb_set_intfdata(interface, ar2);
|
||||||
|
|
||||||
|
@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- fail3:
|
||||||
|
+ fail4:
|
||||||
|
sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
|
||||||
|
- fail2:
|
||||||
|
+ fail3:
|
||||||
|
ati_remote2_urb_cleanup(ar2);
|
||||||
|
+ fail2:
|
||||||
|
usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
|
||||||
|
fail1:
|
||||||
|
kfree(ar2);
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
@ -620,6 +620,9 @@ Patch668: x86-tsc-Prevent-NULL-pointer-deref-in-calibrate_dela.patch
|
|||||||
#CVE-2016-3137 rhbz 1317010 1316996
|
#CVE-2016-3137 rhbz 1317010 1316996
|
||||||
Patch672: cypress_m8-add-sanity-checking.patch
|
Patch672: cypress_m8-add-sanity-checking.patch
|
||||||
|
|
||||||
|
#CVE-2016-2185 rhbz 1317014 1317471
|
||||||
|
Patch669: Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
|
||||||
|
|
||||||
#CVE-2016-3140 rhbz 1317010 1316995
|
#CVE-2016-3140 rhbz 1317010 1316995
|
||||||
Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch
|
Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user