CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)
This commit is contained in:
Josh Boyer
parent
89cc46c010
commit
b1afb06566
@ -640,6 +640,9 @@ Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
|
||||
#CVE-2016-2188 rhbz 1317018 1317467
|
||||
Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
|
||||
|
||||
#CVE-2016-2185 rhbz 1317014 1317471
|
||||
Patch675: usb_driver_claim_interface-add-sanity-checking.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2162,6 +2165,7 @@ fi
|
||||
#
|
||||
%changelog
|
||||
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)
|
||||
- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
|
||||
- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
|
||||
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
|
||||
|
||||
39
usb_driver_claim_interface-add-sanity-checking.patch
Normal file
39
usb_driver_claim_interface-add-sanity-checking.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Wed, 16 Mar 2016 12:26:17 -0400
|
||||
Subject: [PATCH] usb_driver_claim_interface: add sanity checking
|
||||
|
||||
Attacks that trick drivers into passing a NULL pointer
|
||||
to usb_driver_claim_interface() using forged descriptors are
|
||||
known. This thwarts them by sanity checking.
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
---
|
||||
drivers/usb/core/driver.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
|
||||
index 6b5063e7943f..e2d242b68d4b 100644
|
||||
--- a/drivers/usb/core/driver.c
|
||||
+++ b/drivers/usb/core/driver.c
|
||||
@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev)
|
||||
int usb_driver_claim_interface(struct usb_driver *driver,
|
||||
struct usb_interface *iface, void *priv)
|
||||
{
|
||||
- struct device *dev = &iface->dev;
|
||||
+ struct device *dev;
|
||||
struct usb_device *udev;
|
||||
int retval = 0;
|
||||
int lpm_disable_error;
|
||||
|
||||
+ if (!iface)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ dev = &iface->dev;
|
||||
if (dev->driver)
|
||||
return -EBUSY;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user