diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-04 08:15:28 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-04 08:16:22 -0400 |
commit | 11059ef1d578adc73d22342288268713386da694 (patch) | |
tree | c01e01a1104ba5c1e23bbf0c9b34bcec9807e4eb | |
parent | 440fa05f1acbad38dd14c39bdc612297cff30eb6 (diff) | |
download | kernel-11059ef1d578adc73d22342288268713386da694.tar.gz kernel-11059ef1d578adc73d22342288268713386da694.tar.xz kernel-11059ef1d578adc73d22342288268713386da694.zip |
CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932)
-rw-r--r-- | USB-usbfs-fix-potential-infoleak-in-devio.patch | 41 | ||||
-rw-r--r-- | kernel.spec | 9 |
2 files changed, 50 insertions, 0 deletions
diff --git a/USB-usbfs-fix-potential-infoleak-in-devio.patch b/USB-usbfs-fix-potential-infoleak-in-devio.patch new file mode 100644 index 000000000..48360c930 --- /dev/null +++ b/USB-usbfs-fix-potential-infoleak-in-devio.patch @@ -0,0 +1,41 @@ +From 7adc5cbc25dcc47dc3856108d9823d08da75da9d Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:32:16 -0400 +Subject: [PATCH] USB: usbfs: fix potential infoleak in devio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “ci” has a total size of 8 bytes. Its last 3 bytes +are padding bytes which are not initialized and leaked to userland +via “copy_to_user”. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/core/devio.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 52c4461dfccd..9b7f1f75e887 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg) + + static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) + { +- struct usbdevfs_connectinfo ci = { +- .devnum = ps->dev->devnum, +- .slow = ps->dev->speed == USB_SPEED_LOW +- }; ++ struct usbdevfs_connectinfo ci; ++ ++ memset(&ci, 0, sizeof(ci)); ++ ci.devnum = ps->dev->devnum; ++ ci.slow = ps->dev->speed == USB_SPEED_LOW; + + if (copy_to_user(arg, &ci, sizeof(ci))) + return -EFAULT; +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index a469d3a02..a7795fd80 100644 --- a/kernel.spec +++ b/kernel.spec @@ -659,6 +659,9 @@ Patch702: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch # Stop splashing crap about broken firmware BGRT Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch +#CVE-2016-4482 rhbz 1332931 1332932 +Patch705: USB-usbfs-fix-potential-infoleak-in-devio.patch + # END OF PATCH DEFINITIONS %endif @@ -1379,6 +1382,9 @@ ApplyPatch antenna_select.patch # Follow on for CVE-2016-3156 ApplyPatch ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch +#CVE-2016-4482 rhbz 1332931 1332932 +ApplyPatch USB-usbfs-fix-potential-infoleak-in-devio.patch + # END OF PATCH APPLICATIONS %endif @@ -2228,6 +2234,9 @@ fi # # %changelog +* Wed May 03 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932) + * Fri Apr 29 2016 Peter Robinson <pbrobinson@fedoraproject.org> - Add patch to fix i.MX6 graphics |