rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)

Browse Source
This commit is contained in:
Josh Boyer 2016-03-18 10:20:51 -04:00
parent d6943d1d0b
commit 62042830a6
2 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
cypress_m8-add-sanity-checking.patch Normal file
View File

@ -0,0 +1,50 @@
From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 17 Mar 2016 16:25:33 +0100
Subject: [PATCH] cypress_m8: add sanity checking
An attack using missing endpoints exists.
CVE-2016-3137
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
v1 - add sanity check
v2 - add error logging
v3 - correct error message
---
drivers/usb/serial/cypress_m8.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index 01bf53392819..5e25443fe4ef 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
struct usb_serial *serial = port->serial;
struct cypress_private *priv;
+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
+ dev_err(&port->dev, "A required endpoint is missing\n");
+ return -ENODEV;
+ }
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
cypress_set_termios(tty, port, &priv->tmp_termios);
/* setup the port and start reading from the device */
- if (!port->interrupt_in_urb) {
- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
- __func__);
- return -1;
- }
-
usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
port->interrupt_in_urb->transfer_buffer,
--
2.5.0

4
kernel.spec
View File

@ -631,6 +631,9 @@ Patch668: x86-tsc-Prevent-NULL-pointer-deref-in-calibrate_dela.patch
Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
#CVE-2016-3137 rhbz 1317010 1316996
Patch672: cypress_m8-add-sanity-checking.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -2153,6 +2156,7 @@ fi
# #
%changelog %changelog
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) - CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git8.1 * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git8.1