From 89cc46c010dd1dce193a4ffff039f473c7fe24be Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 18 Mar 2016 10:37:29 -0400 Subject: [PATCH] CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467) --- ...x-oops-with-malicious-USB-descriptor.patch | 40 +++++++++++++++++++ kernel.spec | 4 ++ 2 files changed, 44 insertions(+) create mode 100644 USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch diff --git a/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch b/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch new file mode 100644 index 000000000..7df3af2b1 --- /dev/null +++ b/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch @@ -0,0 +1,40 @@ +From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 14 Mar 2016 10:38:31 -0400 +Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors + +The iowarrior driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/87 + +Reported-by: Ralf Spenneberg +Cc: stable +Signed-off-by: Josh Boyer +--- + drivers/usb/misc/iowarrior.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c +index c6bfd13f6c92..1950e87b4219 100644 +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface, + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + ++ if (iface_desc->desc.bNumEndpoints < 1) { ++ dev_err(&interface->dev, "Invalid number of endpoints\n"); ++ retval = -EINVAL; ++ goto error; ++ } ++ + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index e6387ff52..ad92236f3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -637,6 +637,9 @@ Patch672: cypress_m8-add-sanity-checking.patch #CVE-2016-2186 rhbz 1317015 1317464 Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch +#CVE-2016-2188 rhbz 1317018 1317467 +Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch + # END OF PATCH DEFINITIONS %endif @@ -2159,6 +2162,7 @@ fi # %changelog * Fri Mar 18 2016 Josh Boyer +- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467) - CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996) - CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)