Fix CVE-2017-16532 and CVE-2017-16538

3 files changed, 217 insertions, 0 deletions

diff --git a/0001-usb-usbtest-fix-NULL-pointer-dereference.patch b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch
new file mode 100644
index 000000000..acc03ec7d
--- /dev/null
+++ b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch
@@ -0,0 +1,41 @@
+From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 29 Sep 2017 10:54:24 -0400
+Subject: [PATCH] usb: usbtest: fix NULL pointer dereference
+
+If the usbtest driver encounters a device with an IN bulk endpoint but
+no OUT bulk endpoint, it will try to dereference a NULL pointer
+(out->desc.bEndpointAddress).  The problem can be solved by adding a
+missing test.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+---
+ drivers/usb/misc/usbtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
+index 113e38bfe0ef..b3fc602b2e24 100644
+--- a/drivers/usb/misc/usbtest.c
++++ b/drivers/usb/misc/usbtest.c
+@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf)
+ 			return tmp;
+ 	}
+
+-	if (in) {
++	if (in)
+ 		dev->in_pipe = usb_rcvbulkpipe(udev,
+ 			in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
++	if (out)
+ 		dev->out_pipe = usb_sndbulkpipe(udev,
+ 			out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+-	}
++
+ 	if (iso_in) {
+ 		dev->iso_in = &iso_in->desc;
+ 		dev->in_iso_pipe = usb_rcvisocpipe(udev,
+-- 
+2.13.6
+
diff --git a/CVE-2017-16538.patch b/CVE-2017-16538.patch
new file mode 100644
index 000000000..e9cf4b054
--- /dev/null
+++ b/CVE-2017-16538.patch
@@ -0,0 +1,166 @@
+From patchwork Tue Sep 26 21:10:20 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
+ start.
+From: Malcolm Priestley <tvboxspy@gmail.com>
+X-Patchwork-Id: 44566
+Message-Id: <20170926211021.11036-1-tvboxspy@gmail.com>
+To: linux-media@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@google.com>,
+ Malcolm Priestley <tvboxspy@gmail.com>
+Date: Tue, 26 Sep 2017 22:10:20 +0100
+
+Warm start has no check as whether a genuine device has
+connected and proceeds to next execution path.
+
+Check device should read 0x47 at offset of 2 on USB descriptor read
+and it is the amount requested of 6 bytes.
+
+Fix for
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access as
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+index 5e320fa4a795..992f2011a6ba 100644
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
+ 
+ static int lme2510_return_status(struct dvb_usb_device *d)
+ {
+-	int ret = 0;
++	int ret;
+ 	u8 *data;
+ 
+-	data = kzalloc(10, GFP_KERNEL);
++	data = kzalloc(6, GFP_KERNEL);
+ 	if (!data)
+ 		return -ENOMEM;
+ 
+-	ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+-			0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
+-	info("Firmware Status: %x (%x)", ret , data[2]);
++	ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
++			      0x06, 0x80, 0x0302, 0x00,
++			      data, 0x6, 200);
++	if (ret != 6)
++		ret = -EINVAL;
++	else
++		ret = data[2];
++
++	info("Firmware Status: %6ph", data);
+ 
+-	ret = (ret < 0) ? -ENODEV : data[2];
+ 	kfree(data);
+ 	return ret;
+ }
+@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d)
+ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
+ {
+ 	struct lme2510_state *st = d->priv;
++	int status;
+ 
+ 	usb_reset_configuration(d->udev);
+ 
+@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
+ 
+ 	st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
+ 
+-	if (lme2510_return_status(d) == 0x44) {
++	status = lme2510_return_status(d);
++	if (status == 0x44) {
+ 		*name = lme_firmware_switch(d, 0);
+ 		return COLD;
+ 	}
+ 
+-	return 0;
++	if (status != 0x47)
++		return -EINVAL;
++
++	return WARM;
+ }
+ 
+ static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
+From patchwork Tue Sep 26 21:10:21 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to
+ dm04_lme2510_tuner
+From: Malcolm Priestley <tvboxspy@gmail.com>
+X-Patchwork-Id: 44567
+Message-Id: <20170926211021.11036-2-tvboxspy@gmail.com>
+To: linux-media@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@google.com>,
+ Malcolm Priestley <tvboxspy@gmail.com>
+Date: Tue, 26 Sep 2017 22:10:21 +0100
+
+When the tuner was split from m88rs2000 the attach function is in wrong
+place.
+
+Move to dm04_lme2510_tuner to trap errors on failure and removing
+a call to lme_coldreset.
+
+Prevents driver starting up without any tuner connected.
+
+Fixes to trap for ts2020 fail.
+LME2510(C): FE Found M88RS2000
+ts2020: probe of 0-0060 failed with error -11
+...
+LME2510(C): TUN Found RS2000 tuner
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+index 992f2011a6ba..be26c029546b 100644
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap)
+ 
+ 		if (adap->fe[0]) {
+ 			info("FE Found M88RS2000");
+-			dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
+-					&d->i2c_adap);
+ 			st->i2c_tuner_gate_w = 5;
+ 			st->i2c_tuner_gate_r = 5;
+ 			st->i2c_tuner_addr = 0x60;
+@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap)
+ 			ret = st->tuner_config;
+ 		break;
+ 	case TUNER_RS2000:
+-		ret = st->tuner_config;
++		if (dvb_attach(ts2020_attach, adap->fe[0],
++			       &ts2020_config, &d->i2c_adap))
++			ret = st->tuner_config;
+ 		break;
+ 	default:
+ 		break;
+ 	}
+ 
+-	if (ret)
++	if (ret) {
+ 		info("TUN Found %s tuner", tun_msg[ret]);
+-	else {
+-		info("TUN No tuner found --- resetting device");
+-		lme_coldreset(d);
++	} else {
++		info("TUN No tuner found");
+ 		return -ENODEV;
+ 	}
+ 
diff --git a/kernel.spec b/kernel.spec
index 7aa4ffc4c..444fcff5c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -701,6 +701,12 @@ Patch636: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
 # rhbz 1490803
 Patch637: 1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch
 
+# CVE-2017-16532 rhbz 1510835 1510854
+Patch638: 0001-usb-usbtest-fix-NULL-pointer-dereference.patch
+
+# CVE-2017-16538 rhbz 1510826 1510854
+Patch639: CVE-2017-16538.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2275,6 +2281,10 @@ fi
 #
 #
 %changelog
+* Wed Nov 08 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2017-16532 (rhbz 1510835 1510854)
+- Fix CVE-2017-16538 (rhbz 1510826 1510854)
+
 * Mon Nov 06 2017 Laura Abbott <labbott@redhat.com>
 - Patches for ThinkPad X1 Carbon Gen5 Touchpad (rhbz 1509461)
 - Fix for KVM regression on some machines (rhbz 1490803)