CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932)

author: Josh Boyer <jwboyer@fedoraproject.org> 2016-05-04 08:15:28 -0400
committer: Josh Boyer <jwboyer@fedoraproject.org> 2016-05-04 08:20:36 -0400
commit: e0b4d238eebe89918b7bf4018ade26a58428f392 (patch)
tree: c457d76d69e7ed89bf6175360eb0dda048650845
parent: cbdaacf012ae3db4661161cd993c34e18e834c8d (diff)
download: kernel-e0b4d238eebe89918b7bf4018ade26a58428f392.tar.gz
kernel-e0b4d238eebe89918b7bf4018ade26a58428f392.tar.xz
kernel-e0b4d238eebe89918b7bf4018ade26a58428f392.zip
2 files changed, 47 insertions, 0 deletions
diff --git a/USB-usbfs-fix-potential-infoleak-in-devio.patch b/USB-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 000000000..48360c930
--- /dev/null
+++ b/USB-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,41 @@
+From 7adc5cbc25dcc47dc3856108d9823d08da75da9d Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: [PATCH] USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 52c4461dfccd..9b7f1f75e887 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
+ 
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index 5a92280b9..7294e1996 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -620,6 +620,9 @@ Patch702: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
 #rhbz 1331092
 Patch703: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
 
+#CVE-2016-4482 rhbz 1332931 1332932
+Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2145,6 +2148,9 @@ fi
 #
 # 
 %changelog
+* Wed May 03 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932)
+
 * Tue May 03 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc6.git1.1
 - Linux v4.6-rc6-72-g33656a1f2ee5
author	Josh Boyer <jwboyer@fedoraproject.org>	2016-05-04 08:15:28 -0400
committer	Josh Boyer <jwboyer@fedoraproject.org>	2016-05-04 08:20:36 -0400
commit	e0b4d238eebe89918b7bf4018ade26a58428f392 (patch)
tree	c457d76d69e7ed89bf6175360eb0dda048650845
parent	cbdaacf012ae3db4661161cd993c34e18e834c8d (diff)
download	kernel-e0b4d238eebe89918b7bf4018ade26a58428f392.tar.gz kernel-e0b4d238eebe89918b7bf4018ade26a58428f392.tar.xz kernel-e0b4d238eebe89918b7bf4018ade26a58428f392.zip