summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@fedoraproject.org>2016-03-22 14:25:01 -0400
committerJosh Boyer <jwboyer@fedoraproject.org>2016-03-22 14:25:03 -0400
commita01e1aa804570861736c37402ec8651a7e5933f8 (patch)
tree4790b75e31770efe07b13389937ce61850c2389b
parente1aff3fede076724a32abf1336804185fbfc6f8c (diff)
downloadkernel-a01e1aa804570861736c37402ec8651a7e5933f8.tar.gz
kernel-a01e1aa804570861736c37402ec8651a7e5933f8.tar.xz
kernel-a01e1aa804570861736c37402ec8651a7e5933f8.zip
CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
Diffstat
-rw-r--r--kernel.spec4
-rw-r--r--mct_u232-sanity-checking-in-probe.patch35
2 files changed, 39 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec
index 8b279cffc..b736df306 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -641,6 +641,9 @@ Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
#CVE-2016-2187 rhbz 1317017 1317010
Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
+#CVE-2016-3136 rhbz 1317007 1317010
+Patch687: mct_u232-sanity-checking-in-probe.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -2164,6 +2167,7 @@ fi
#
%changelog
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git19.1
diff --git a/mct_u232-sanity-checking-in-probe.patch b/mct_u232-sanity-checking-in-probe.patch
new file mode 100644
index 000000000..006faf15f
--- /dev/null
+++ b/mct_u232-sanity-checking-in-probe.patch
@@ -0,0 +1,35 @@
+Subject: [PATCH v2] mct_u232: sanity checking in probe
+From: Oliver Neukum <oneukum@suse.com>
+Date: 2016-03-21 13:14:37
+
+An attack using the lack of sanity checking in probe
+is known. This patch checks for the existance of a
+second port.
+CVE-2016-3136
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+
+v1 - add sanity check for presence of a second port
+v2 - add sanity check for an interrupt endpoint
+---
+ drivers/usb/serial/mct_u232.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 4446b8d..3e64538 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ struct mct_u232_private *priv;
+
++ /* check first to simplify error handling */
++ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
++ return -ENODEV;
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+--
+2.1.4
generated by cgit (git 2.34.1) at 2024-06-12 06:45:09 +0000