diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-12-01 15:03:20 -0500 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-12-01 15:03:23 -0500 |
| commit | d903d2103477ba62e1e3785ded8fb8b0e5565d2c (patch) | |
| tree | c647957f3cb7cbdbfdb4e97c9244725bb8780be5 | |
| parent | 45bb62e168d33bcb3d13b99584fdf13f9fd74cf4 (diff) | |
| download | kernel-d903d2103477ba62e1e3785ded8fb8b0e5565d2c.tar.gz kernel-d903d2103477ba62e1e3785ded8fb8b0e5565d2c.tar.xz kernel-d903d2103477ba62e1e3785ded8fb8b0e5565d2c.zip | |
CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331)
| -rw-r--r-- | Input-aiptek-fix-crash-on-detecting-device-without-e.patch | 48 | ||||
| -rw-r--r-- | kernel.spec | 4 |
2 files changed, 52 insertions, 0 deletions
diff --git a/Input-aiptek-fix-crash-on-detecting-device-without-e.patch b/Input-aiptek-fix-crash-on-detecting-device-without-e.patch new file mode 100644 index 000000000..19dbaa343 --- /dev/null +++ b/Input-aiptek-fix-crash-on-detecting-device-without-e.patch @@ -0,0 +1,48 @@ +From a0edc539fda3f0a4a271f47a0fcf79d1305c1444 Mon Sep 17 00:00:00 2001 +From: Vladis Dronov <vdronov@redhat.com> +Date: Wed, 25 Nov 2015 16:31:35 +0100 +Subject: [PATCH] Input: aiptek: fix crash on detecting device without + endpoints + +The aiptek driver crashes in aiptek_probe() when a specially crafted usb device +without endpoints is detected. This fix adds a check that the device has proper +configuration expected by the driver. Also an error return value is changed to +more matching one in one of the error paths. + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/input/tablet/aiptek.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c +index e7f966da6efa..78c0732fbb57 100644 +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1819,6 +1819,15 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) + input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0); + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + ++ /* Verify that a device really has an endpoint ++ */ ++ if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_warn(&intf->dev, ++ "interface has %d endpoints, but must have minimum 1\n", ++ intf->altsetting[0].desc.bNumEndpoints); ++ err = -ENODEV; ++ goto fail3; ++ } + endpoint = &intf->altsetting[0].endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives +@@ -1861,6 +1870,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) + if (i == ARRAY_SIZE(speeds)) { + dev_info(&intf->dev, + "Aiptek tried all speeds, no sane response\n"); ++ err = -ENODEV; + goto fail3; + } + +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 1b8d7faae..283320b83 100644 --- a/kernel.spec +++ b/kernel.spec @@ -594,6 +594,9 @@ Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch #CVE-2015-7833 rhbz 1270158 1270160 Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch +#CVE-2015-7515 rhbz 1285326 1285331 +Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch + # END OF PATCH DEFINITIONS %endif @@ -2038,6 +2041,7 @@ fi # %changelog * Tue Dec 01 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331) - CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160) * Tue Dec 01 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc3.git1.1 |