CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)

This commit is contained in:
Josh Boyer 2016-03-22 14:25:01 -04:00
parent e1aff3fede
commit a01e1aa804
2 changed files with 39 additions and 0 deletions

View File

@ -641,6 +641,9 @@ Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
#CVE-2016-2187 rhbz 1317017 1317010
Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
#CVE-2016-3136 rhbz 1317007 1317010
Patch687: mct_u232-sanity-checking-in-probe.patch
# END OF PATCH DEFINITIONS
%endif
@ -2164,6 +2167,7 @@ fi
#
%changelog
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git19.1

View File

@ -0,0 +1,35 @@
Subject: [PATCH v2] mct_u232: sanity checking in probe
From: Oliver Neukum <oneukum@suse.com>
Date: 2016-03-21 13:14:37
An attack using the lack of sanity checking in probe
is known. This patch checks for the existance of a
second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
v1 - add sanity check for presence of a second port
v2 - add sanity check for an interrupt endpoint
---
drivers/usb/serial/mct_u232.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 4446b8d..3e64538 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
{
struct mct_u232_private *priv;
+ /* check first to simplify error handling */
+ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
+ return -ENODEV;
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
--
2.1.4