diff --git a/ims-pcu-sanity-check-against-missing-interfaces.patch b/ims-pcu-sanity-check-against-missing-interfaces.patch new file mode 100644 index 000000000..827a2b7ee --- /dev/null +++ b/ims-pcu-sanity-check-against-missing-interfaces.patch @@ -0,0 +1,39 @@ +From a4200b7eb26271108586d3a7cf34a2f16d460e48 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 17 Mar 2016 15:10:47 +0100 +Subject: [PATCH] ims-pcu: sanity check against missing interfaces + +A malicious device missing interface can make the driver oops. +Add sanity checking. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +--- + drivers/input/misc/ims-pcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index ac1fa5f44580..9c0ea36913b4 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bMasterInterface0); ++ if (!pcu->ctrl_intf) ++ return -EINVAL; + + alt = pcu->ctrl_intf->cur_altsetting; + pcu->ep_ctrl = &alt->endpoint[0].desc; +@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->data_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bSlaveInterface0); ++ if (!pcu->data_intf) ++ return -EINVAL; + + alt = pcu->data_intf->cur_altsetting; + if (alt->desc.bNumEndpoints != 2) { +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 197f9e1e5..5646e215a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -649,6 +649,8 @@ Patch676: cdc-acm-more-sanity-checking.patch #CVE-2016-3140 rhbz 1317010 1316995 Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch +Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch + # END OF PATCH DEFINITIONS %endif @@ -2171,6 +2173,7 @@ fi # %changelog * Fri Mar 18 2016 Josh Boyer +- ims-pcu: sanity checking on missing interfaces - CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995) - CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204) - CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)