diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-11-08 08:11:42 -0600 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-11-08 08:11:42 -0600 |
commit | 23f3bf12e42282c4a1d16c3b686a94bdba27fe81 (patch) | |
tree | d60d9803fd6adac4254fa01be24f7e4b5c8d044d | |
parent | 2db7ed17000c1da3052c45370b8363e1b428ab9b (diff) | |
download | kernel-23f3bf12e42282c4a1d16c3b686a94bdba27fe81.tar.gz kernel-23f3bf12e42282c4a1d16c3b686a94bdba27fe81.tar.xz kernel-23f3bf12e42282c4a1d16c3b686a94bdba27fe81.zip |
Fix CVE-2017-16532 and CVE-2017-16538
-rw-r--r-- | 0001-usb-usbtest-fix-NULL-pointer-dereference.patch | 41 | ||||
-rw-r--r-- | CVE-2017-16538.patch | 166 | ||||
-rw-r--r-- | kernel.spec | 10 |
3 files changed, 217 insertions, 0 deletions
diff --git a/0001-usb-usbtest-fix-NULL-pointer-dereference.patch b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch new file mode 100644 index 000000000..acc03ec7d --- /dev/null +++ b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch @@ -0,0 +1,41 @@ +From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Fri, 29 Sep 2017 10:54:24 -0400 +Subject: [PATCH] usb: usbtest: fix NULL pointer dereference + +If the usbtest driver encounters a device with an IN bulk endpoint but +no OUT bulk endpoint, it will try to dereference a NULL pointer +(out->desc.bEndpointAddress). The problem can be solved by adding a +missing test. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Tested-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +--- + drivers/usb/misc/usbtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c +index 113e38bfe0ef..b3fc602b2e24 100644 +--- a/drivers/usb/misc/usbtest.c ++++ b/drivers/usb/misc/usbtest.c +@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf) + return tmp; + } + +- if (in) { ++ if (in) + dev->in_pipe = usb_rcvbulkpipe(udev, + in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); ++ if (out) + dev->out_pipe = usb_sndbulkpipe(udev, + out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); +- } ++ + if (iso_in) { + dev->iso_in = &iso_in->desc; + dev->in_iso_pipe = usb_rcvisocpipe(udev, +-- +2.13.6 + diff --git a/CVE-2017-16538.patch b/CVE-2017-16538.patch new file mode 100644 index 000000000..e9cf4b054 --- /dev/null +++ b/CVE-2017-16538.patch @@ -0,0 +1,166 @@ +From patchwork Tue Sep 26 21:10:20 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm + start. +From: Malcolm Priestley <tvboxspy@gmail.com> +X-Patchwork-Id: 44566 +Message-Id: <20170926211021.11036-1-tvboxspy@gmail.com> +To: linux-media@vger.kernel.org +Cc: Andrey Konovalov <andreyknvl@google.com>, + Malcolm Priestley <tvboxspy@gmail.com> +Date: Tue, 26 Sep 2017 22:10:20 +0100 + +Warm start has no check as whether a genuine device has +connected and proceeds to next execution path. + +Check device should read 0x47 at offset of 2 on USB descriptor read +and it is the amount requested of 6 bytes. + +Fix for +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access as + +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com> +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 5e320fa4a795..992f2011a6ba 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid, + + static int lme2510_return_status(struct dvb_usb_device *d) + { +- int ret = 0; ++ int ret; + u8 *data; + +- data = kzalloc(10, GFP_KERNEL); ++ data = kzalloc(6, GFP_KERNEL); + if (!data) + return -ENOMEM; + +- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), +- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200); +- info("Firmware Status: %x (%x)", ret , data[2]); ++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), ++ 0x06, 0x80, 0x0302, 0x00, ++ data, 0x6, 200); ++ if (ret != 6) ++ ret = -EINVAL; ++ else ++ ret = data[2]; ++ ++ info("Firmware Status: %6ph", data); + +- ret = (ret < 0) ? -ENODEV : data[2]; + kfree(data); + return ret; + } +@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d) + static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) + { + struct lme2510_state *st = d->priv; ++ int status; + + usb_reset_configuration(d->udev); + +@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) + + st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware; + +- if (lme2510_return_status(d) == 0x44) { ++ status = lme2510_return_status(d); ++ if (status == 0x44) { + *name = lme_firmware_switch(d, 0); + return COLD; + } + +- return 0; ++ if (status != 0x47) ++ return -EINVAL; ++ ++ return WARM; + } + + static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type, +From patchwork Tue Sep 26 21:10:21 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to + dm04_lme2510_tuner +From: Malcolm Priestley <tvboxspy@gmail.com> +X-Patchwork-Id: 44567 +Message-Id: <20170926211021.11036-2-tvboxspy@gmail.com> +To: linux-media@vger.kernel.org +Cc: Andrey Konovalov <andreyknvl@google.com>, + Malcolm Priestley <tvboxspy@gmail.com> +Date: Tue, 26 Sep 2017 22:10:21 +0100 + +When the tuner was split from m88rs2000 the attach function is in wrong +place. + +Move to dm04_lme2510_tuner to trap errors on failure and removing +a call to lme_coldreset. + +Prevents driver starting up without any tuner connected. + +Fixes to trap for ts2020 fail. +LME2510(C): FE Found M88RS2000 +ts2020: probe of 0-0060 failed with error -11 +... +LME2510(C): TUN Found RS2000 tuner +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN + +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com> +Tested-by: Andrey Konovalov <andreyknvl@google.com> +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 992f2011a6ba..be26c029546b 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap) + + if (adap->fe[0]) { + info("FE Found M88RS2000"); +- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config, +- &d->i2c_adap); + st->i2c_tuner_gate_w = 5; + st->i2c_tuner_gate_r = 5; + st->i2c_tuner_addr = 0x60; +@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap) + ret = st->tuner_config; + break; + case TUNER_RS2000: +- ret = st->tuner_config; ++ if (dvb_attach(ts2020_attach, adap->fe[0], ++ &ts2020_config, &d->i2c_adap)) ++ ret = st->tuner_config; + break; + default: + break; + } + +- if (ret) ++ if (ret) { + info("TUN Found %s tuner", tun_msg[ret]); +- else { +- info("TUN No tuner found --- resetting device"); +- lme_coldreset(d); ++ } else { ++ info("TUN No tuner found"); + return -ENODEV; + } + diff --git a/kernel.spec b/kernel.spec index 7aa4ffc4c..444fcff5c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -701,6 +701,12 @@ Patch636: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch # rhbz 1490803 Patch637: 1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch +# CVE-2017-16532 rhbz 1510835 1510854 +Patch638: 0001-usb-usbtest-fix-NULL-pointer-dereference.patch + +# CVE-2017-16538 rhbz 1510826 1510854 +Patch639: CVE-2017-16538.patch + # END OF PATCH DEFINITIONS %endif @@ -2275,6 +2281,10 @@ fi # # %changelog +* Wed Nov 08 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2017-16532 (rhbz 1510835 1510854) +- Fix CVE-2017-16538 (rhbz 1510826 1510854) + * Mon Nov 06 2017 Laura Abbott <labbott@redhat.com> - Patches for ThinkPad X1 Carbon Gen5 Touchpad (rhbz 1509461) - Fix for KVM regression on some machines (rhbz 1490803) |