From b1afb06566c4398535ffcf2535746d47046c9bf6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 18 Mar 2016 10:50:37 -0400 Subject: [PATCH] CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471) --- kernel.spec | 4 ++ ..._claim_interface-add-sanity-checking.patch | 39 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 usb_driver_claim_interface-add-sanity-checking.patch diff --git a/kernel.spec b/kernel.spec index ad92236f3..93c860ef7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -640,6 +640,9 @@ Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch #CVE-2016-2188 rhbz 1317018 1317467 Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch +#CVE-2016-2185 rhbz 1317014 1317471 +Patch675: usb_driver_claim_interface-add-sanity-checking.patch + # END OF PATCH DEFINITIONS %endif @@ -2162,6 +2165,7 @@ fi # %changelog * Fri Mar 18 2016 Josh Boyer +- CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471) - CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467) - CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996) diff --git a/usb_driver_claim_interface-add-sanity-checking.patch b/usb_driver_claim_interface-add-sanity-checking.patch new file mode 100644 index 000000000..079ff03fd --- /dev/null +++ b/usb_driver_claim_interface-add-sanity-checking.patch @@ -0,0 +1,39 @@ +From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 16 Mar 2016 12:26:17 -0400 +Subject: [PATCH] usb_driver_claim_interface: add sanity checking + +Attacks that trick drivers into passing a NULL pointer +to usb_driver_claim_interface() using forged descriptors are +known. This thwarts them by sanity checking. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +--- + drivers/usb/core/driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index 6b5063e7943f..e2d242b68d4b 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev) + int usb_driver_claim_interface(struct usb_driver *driver, + struct usb_interface *iface, void *priv) + { +- struct device *dev = &iface->dev; ++ struct device *dev; + struct usb_device *udev; + int retval = 0; + int lpm_disable_error; + ++ if (!iface) ++ return -ENODEV; ++ ++ dev = &iface->dev; + if (dev->driver) + return -EBUSY; + +-- +2.5.0 +