rpms/kernel
8
2
Fork 6
Code Issues Pull Requests Releases Activity

CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)

Browse Source
This commit is contained in:
Josh Boyer 2016-03-18 10:37:29 -04:00
parent 4c948d6d0b
commit 89cc46c010
2 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch Normal file
View File

@ -0,0 +1,40 @@
From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 14 Mar 2016 10:38:31 -0400
Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors
The iowarrior driver expects at least one valid endpoint. If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function. Ensure there is at least
one endpoint on the interface before using it.
The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
drivers/usb/misc/iowarrior.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index c6bfd13f6c92..1950e87b4219 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
iface_desc = interface->cur_altsetting;
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ if (iface_desc->desc.bNumEndpoints < 1) {
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
+ retval = -EINVAL;
+ goto error;
+ }
+
/* set up the endpoint information */
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;
--
2.5.0

4
kernel.spec
View File

@ -637,6 +637,9 @@ Patch672: cypress_m8-add-sanity-checking.patch
#CVE-2016-2186 rhbz 1317015 1317464 #CVE-2016-2186 rhbz 1317015 1317464
Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
#CVE-2016-2188 rhbz 1317018 1317467
Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -2159,6 +2162,7 @@ fi
# #
%changelog %changelog
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) - CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996) - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) - CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)