CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)

2016-03-18 10:50:37 -04:00 · 2016-03-18 10:50:37 -04:00 · b1afb06566
commit b1afb06566
parent 89cc46c010
2 changed files with 43 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -640,6 +640,9 @@ Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
 #CVE-2016-2188 rhbz 1317018 1317467
 Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
 #CVE-2016-2185 rhbz 1317014 1317471
 Patch675: usb_driver_claim_interface-add-sanity-checking.patch
 # END OF PATCH DEFINITIONS
 %endif
@ -2162,6 +2165,7 @@ fi
 # 
 %changelog
 * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)
 - CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
 - CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
 - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
--- a/usb_driver_claim_interface-add-sanity-checking.patch
+++ b/usb_driver_claim_interface-add-sanity-checking.patch
@ -0,0 +1,39 @@
 From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001
 From: Oliver Neukum <oneukum@suse.com>
 Date: Wed, 16 Mar 2016 12:26:17 -0400
 Subject: [PATCH] usb_driver_claim_interface: add sanity checking
 Attacks that trick drivers into passing a NULL pointer
 to usb_driver_claim_interface() using forged descriptors are
 known. This thwarts them by sanity checking.
 Signed-off-by: Oliver Neukum <ONeukum@suse.com>
 CC: stable@vger.kernel.org
 ---
 drivers/usb/core/driver.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
 index 6b5063e7943f..e2d242b68d4b 100644
 --- a/drivers/usb/core/driver.c
 +++ b/drivers/usb/core/driver.c
@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev)
 int usb_driver_claim_interface(struct usb_driver *driver,
 				struct usb_interface *iface, void *priv)
 {
 -	struct device *dev = &iface->dev;
 +	struct device *dev;
 	struct usb_device *udev;
 	int retval = 0;
 	int lpm_disable_error;
 +	if (!iface)
 +		return -ENODEV;
 +
 +	dev = &iface->dev;
 	if (dev->driver)
 		return -EBUSY;
 -- 
 2.5.0