CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932)

author: Josh Boyer <jwboyer@fedoraproject.org> 2016-05-04 08:15:28 -0400
committer: Josh Boyer <jwboyer@fedoraproject.org> 2016-05-04 08:16:22 -0400
commit: 11059ef1d578adc73d22342288268713386da694 (patch)
tree: c01e01a1104ba5c1e23bbf0c9b34bcec9807e4eb
parent: 440fa05f1acbad38dd14c39bdc612297cff30eb6 (diff)
download: kernel-11059ef1d578adc73d22342288268713386da694.tar.gz
kernel-11059ef1d578adc73d22342288268713386da694.tar.xz
kernel-11059ef1d578adc73d22342288268713386da694.zip
2 files changed, 50 insertions, 0 deletions
diff --git a/USB-usbfs-fix-potential-infoleak-in-devio.patch b/USB-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 000000000..48360c930
--- /dev/null
+++ b/USB-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,41 @@
+From 7adc5cbc25dcc47dc3856108d9823d08da75da9d Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: [PATCH] USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 52c4461dfccd..9b7f1f75e887 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
+ 
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index a469d3a02..a7795fd80 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -659,6 +659,9 @@ Patch702: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
 # Stop splashing crap about broken firmware BGRT
 Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
 
+#CVE-2016-4482 rhbz 1332931 1332932
+Patch705: USB-usbfs-fix-potential-infoleak-in-devio.patch
+
 # END OF PATCH DEFINITIONS
 %endif
 
@@ -1379,6 +1382,9 @@ ApplyPatch antenna_select.patch
 # Follow on for CVE-2016-3156
 ApplyPatch ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
 
+#CVE-2016-4482 rhbz 1332931 1332932
+ApplyPatch USB-usbfs-fix-potential-infoleak-in-devio.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2228,6 +2234,9 @@ fi
 #
 # 
 %changelog
+* Wed May 03 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932)
+
 * Fri Apr 29 2016 Peter Robinson <pbrobinson@fedoraproject.org>
 - Add patch to fix i.MX6 graphics
author	Josh Boyer <jwboyer@fedoraproject.org>	2016-05-04 08:15:28 -0400
committer	Josh Boyer <jwboyer@fedoraproject.org>	2016-05-04 08:16:22 -0400
commit	11059ef1d578adc73d22342288268713386da694 (patch)
tree	c01e01a1104ba5c1e23bbf0c9b34bcec9807e4eb
parent	440fa05f1acbad38dd14c39bdc612297cff30eb6 (diff)
download	kernel-11059ef1d578adc73d22342288268713386da694.tar.gz kernel-11059ef1d578adc73d22342288268713386da694.tar.xz kernel-11059ef1d578adc73d22342288268713386da694.zip