diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-01-12 13:12:57 -0500 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-01-12 13:15:58 -0500 |
| commit | 598e241054b75348df3258f00538530e8fdcb414 (patch) | |
| tree | 7af0ae79b8369194ba6ad807adcafead5163cab6 | |
| parent | adac8a61eb66d541bea6205c7aa6a187342ee4e2 (diff) | |
| download | kernel-598e241054b75348df3258f00538530e8fdcb414.tar.gz kernel-598e241054b75348df3258f00538530e8fdcb414.tar.xz kernel-598e241054b75348df3258f00538530e8fdcb414.zip | |
CVE-2015-7566 usb: visor: Crash on invalid USB dev descriptors (rhbz 1296466 1297517)
| -rw-r--r-- | kernel.spec | 7 | ||||
| -rw-r--r-- | usb-serial-visor-fix-crash-on-detecting-device-witho.patch | 36 |
2 files changed, 43 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index c1c12edd9..10fd34770 100644 --- a/kernel.spec +++ b/kernel.spec @@ -683,6 +683,9 @@ Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch #rhbz 1083853 Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch +#CVE-2015-7566 rhbz 1296466 1297517 +Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch + # END OF PATCH DEFINITIONS %endif @@ -1486,6 +1489,9 @@ ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch #rhbz 1083853 ApplyPatch PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch +#CVE-2015-7566 rhbz 1296466 1297517 +ApplyPatch usb-serial-visor-fix-crash-on-detecting-device-witho.patch + # END OF PATCH APPLICATIONS %endif @@ -2337,6 +2343,7 @@ fi # %changelog * Tue Jan 12 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7566 usb: visor: Crash on invalid USB dev descriptors (rhbz 1296466 1297517) - Fix backtrace from PNP conflict on Broadwell (rhbz 1083853) * Thu Jan 07 2016 Josh Boyer <jwboyer@fedorparoject.org> diff --git a/usb-serial-visor-fix-crash-on-detecting-device-witho.patch b/usb-serial-visor-fix-crash-on-detecting-device-witho.patch new file mode 100644 index 000000000..ddd4fc5b9 --- /dev/null +++ b/usb-serial-visor-fix-crash-on-detecting-device-witho.patch @@ -0,0 +1,36 @@ +From b2476fe4c16be5c2b7ee950e50677cfaa9ab9bae Mon Sep 17 00:00:00 2001 +From: Vladis Dronov <vdronov@redhat.com> +Date: Tue, 12 Jan 2016 14:10:50 -0500 +Subject: [PATCH] usb: serial: visor: fix crash on detecting device without + write_urbs + +The visor driver crashes in clie_5_attach() when a specially crafted USB +device without bulk-out endpoint is detected. This fix adds a check that +the device has proper configuration expected by the driver. + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/usb/serial/visor.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c +index 60afb39eb73c..bbc90c059002 100644 +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_serial *serial) + */ + + /* some sanity check */ +- if (serial->num_ports < 2) +- return -1; ++ if (serial->num_bulk_out < 2) { ++ dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); ++ return -ENODEV; ++ } + + /* port 0 now uses the modified endpoint Address */ + port = serial->port[0]; +-- +2.5.0 + |