diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-18 10:32:05 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-18 10:32:46 -0400 |
commit | 7400c33f9cbb58596724b1c146056d7b028dae17 (patch) | |
tree | ebd57973f3e66cd33cd03509e2f5b704441d97e9 | |
parent | e0ad3e629e68db8d5b851c745ee122cd803e787d (diff) | |
download | kernel-7400c33f9cbb58596724b1c146056d7b028dae17.tar.gz kernel-7400c33f9cbb58596724b1c146056d7b028dae17.tar.xz kernel-7400c33f9cbb58596724b1c146056d7b028dae17.zip |
CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
-rw-r--r-- | USB-input-powermate-fix-oops-with-malicious-USB-desc.patch | 38 | ||||
-rw-r--r-- | kernel.spec | 7 |
2 files changed, 45 insertions, 0 deletions
diff --git a/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch new file mode 100644 index 000000000..7de890e1b --- /dev/null +++ b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch @@ -0,0 +1,38 @@ +From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Mon, 14 Mar 2016 10:02:51 -0400 +Subject: [PATCH] USB: input: powermate: fix oops with malicious USB + descriptors + +The powermate driver expects at least one valid USB endpoint in its +probe function. If given malicious descriptors that specify 0 for +the number of endpoints, it will crash. Validate the number of +endpoints on the interface before using them. + +The full report for this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/85 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/input/misc/powermate.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c +index 63b539d3daba..84909a12ff36 100644 +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ if (interface->desc.bNumEndpoints < 1) ++ return -EINVAL; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -EIO; +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index ab81aa4e0..6f3a96fde 100644 --- a/kernel.spec +++ b/kernel.spec @@ -643,6 +643,9 @@ Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch #CVE-2016-3137 rhbz 1317010 1316996 Patch672: cypress_m8-add-sanity-checking.patch +#CVE-2016-2186 rhbz 1317015 1317464 +Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch + # END OF PATCH DEFINITIONS %endif @@ -1349,6 +1352,9 @@ ApplyPatch ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch #CVE-2016-3137 rhbz 1317010 1316996 ApplyPatch cypress_m8-add-sanity-checking.patch +#CVE-2016-2186 rhbz 1317015 1317464 +ApplyPatch USB-input-powermate-fix-oops-with-malicious-USB-desc.patch + # END OF PATCH APPLICATIONS %endif @@ -2199,6 +2205,7 @@ fi # %changelog * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996) - CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) |