From c2763b5687e8316dbeb5b9e3ba20f4e2b8a49af2 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 18 Mar 2016 11:05:14 -0400 Subject: [PATCH] CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995) --- ...do-sanity-checking-for-the-number-of.patch | 34 +++++++++++++++++++ kernel.spec | 4 +++ 2 files changed, 38 insertions(+) create mode 100644 digi_acceleport-do-sanity-checking-for-the-number-of.patch diff --git a/digi_acceleport-do-sanity-checking-for-the-number-of.patch b/digi_acceleport-do-sanity-checking-for-the-number-of.patch new file mode 100644 index 000000000..2bbae94b7 --- /dev/null +++ b/digi_acceleport-do-sanity-checking-for-the-number-of.patch @@ -0,0 +1,34 @@ +From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 14 Mar 2016 15:53:38 +0100 +Subject: [PATCH] digi_acceleport: do sanity checking for the number of ports + +The driver can be crashed with devices that expose crafted +descriptors with too few endpoints. +See: +http://seclists.org/bugtraq/2016/Mar/61 + +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/digi_acceleport.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c +index 12b0e67473ba..c4d4d4547d40 100644 +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1260,6 +1260,11 @@ static int digi_startup(struct usb_serial *serial) + + spin_lock_init(&serial_priv->ds_serial_lock); + serial_priv->ds_oob_port_num = serial->type->num_ports; ++ if (!(serial_priv->ds_oob_port_num == 2 && serial->type == &digi_acceleport_2_device) ++ && !(serial_priv->ds_oob_port_num == 4 && serial->type == &digi_acceleport_4_device)) { ++ kfree(serial_priv); ++ return -EINVAL; ++ } + serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num]; + + ret = digi_port_init(serial_priv->ds_oob_port, +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index e18e1d16b..197f9e1e5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -646,6 +646,9 @@ Patch675: usb_driver_claim_interface-add-sanity-checking.patch #CVE-2016-3138 rhbz 1317010 1316204 Patch676: cdc-acm-more-sanity-checking.patch +#CVE-2016-3140 rhbz 1317010 1316995 +Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch + # END OF PATCH DEFINITIONS %endif @@ -2168,6 +2171,7 @@ fi # %changelog * Fri Mar 18 2016 Josh Boyer +- CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995) - CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204) - CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471) - CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)