CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995)

This commit is contained in:
Josh Boyer 2016-03-18 11:05:14 -04:00
parent 9e1b14ab48
commit c2763b5687
2 changed files with 38 additions and 0 deletions

View File

@ -0,0 +1,34 @@
From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 14 Mar 2016 15:53:38 +0100
Subject: [PATCH] digi_acceleport: do sanity checking for the number of ports
The driver can be crashed with devices that expose crafted
descriptors with too few endpoints.
See:
http://seclists.org/bugtraq/2016/Mar/61
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
---
drivers/usb/serial/digi_acceleport.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
index 12b0e67473ba..c4d4d4547d40 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1260,6 +1260,11 @@ static int digi_startup(struct usb_serial *serial)
spin_lock_init(&serial_priv->ds_serial_lock);
serial_priv->ds_oob_port_num = serial->type->num_ports;
+ if (!(serial_priv->ds_oob_port_num == 2 && serial->type == &digi_acceleport_2_device)
+ && !(serial_priv->ds_oob_port_num == 4 && serial->type == &digi_acceleport_4_device)) {
+ kfree(serial_priv);
+ return -EINVAL;
+ }
serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
ret = digi_port_init(serial_priv->ds_oob_port,
--
2.5.0

View File

@ -646,6 +646,9 @@ Patch675: usb_driver_claim_interface-add-sanity-checking.patch
#CVE-2016-3138 rhbz 1317010 1316204
Patch676: cdc-acm-more-sanity-checking.patch
#CVE-2016-3140 rhbz 1317010 1316995
Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch
# END OF PATCH DEFINITIONS
%endif
@ -2168,6 +2171,7 @@ fi
#
%changelog
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995)
- CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204)
- CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)
- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)