diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-18 10:58:57 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-18 10:59:44 -0400 |
| commit | e9295a6761320b5b94b8beafba3cc8265bffe766 (patch) | |
| tree | 595f7c4e2733ff34d494cc49693693cc30772e88 | |
| parent | e4ce5f635ae69e96baf8949a501f35b6b4aa2611 (diff) | |
| download | kernel-e9295a6761320b5b94b8beafba3cc8265bffe766.tar.gz kernel-e9295a6761320b5b94b8beafba3cc8265bffe766.tar.xz kernel-e9295a6761320b5b94b8beafba3cc8265bffe766.zip | |
CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204)
| -rw-r--r-- | cdc-acm-more-sanity-checking.patch | 33 | ||||
| -rw-r--r-- | kernel.spec | 4 |
2 files changed, 37 insertions, 0 deletions
diff --git a/cdc-acm-more-sanity-checking.patch b/cdc-acm-more-sanity-checking.patch new file mode 100644 index 000000000..99ad43416 --- /dev/null +++ b/cdc-acm-more-sanity-checking.patch @@ -0,0 +1,33 @@ +From e6a87f147002fa16adcbafebbc458ff90a463474 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Tue, 15 Mar 2016 10:14:04 +0100 +Subject: [PATCH] cdc-acm: more sanity checking + +An attack has become available which pretends to be a quirky +device circumventing normal sanity checks and crashes the kernel +by an insufficient number of interfaces. This patch adds a check +to the code path for quirky devices. + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 26ca4f910cb0..a7732f80a912 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1113,6 +1113,9 @@ static int acm_probe(struct usb_interface *intf, + if (quirks == NO_UNION_NORMAL) { + data_interface = usb_ifnum_to_if(usb_dev, 1); + control_interface = usb_ifnum_to_if(usb_dev, 0); ++ /* we would crash */ ++ if (!data_interface || !control_interface) ++ return -ENODEV; + goto skip_normal_probe; + } + +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index fd121a0e4..5bf3cfea7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -641,6 +641,9 @@ Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch #CVE-2016-2185 rhbz 1317014 1317471 Patch675: usb_driver_claim_interface-add-sanity-checking.patch +#CVE-2016-3138 rhbz 1317010 1316204 +Patch676: cdc-acm-more-sanity-checking.patch + # END OF PATCH DEFINITIONS %endif @@ -2163,6 +2166,7 @@ fi # %changelog * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204) - CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471) - CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467) - CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) |