diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-18 10:20:51 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-18 10:24:26 -0400 |
| commit | 62042830a60b738575eedd3a37bc4d350d9d8e43 (patch) | |
| tree | 9a05d1adb8b004d5563458cc4c76acc59fac7ee5 /cypress_m8-add-sanity-checking.patch | |
| parent | d6943d1d0b206faef770aaba381438e7d9ef6d2d (diff) | |
| download | kernel-62042830a60b738575eedd3a37bc4d350d9d8e43.tar.gz kernel-62042830a60b738575eedd3a37bc4d350d9d8e43.tar.xz kernel-62042830a60b738575eedd3a37bc4d350d9d8e43.zip | |
CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
Diffstat (limited to 'cypress_m8-add-sanity-checking.patch')
| -rw-r--r-- | cypress_m8-add-sanity-checking.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/cypress_m8-add-sanity-checking.patch b/cypress_m8-add-sanity-checking.patch new file mode 100644 index 000000000..fa8513f94 --- /dev/null +++ b/cypress_m8-add-sanity-checking.patch @@ -0,0 +1,50 @@ +From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 17 Mar 2016 16:25:33 +0100 +Subject: [PATCH] cypress_m8: add sanity checking + +An attack using missing endpoints exists. +CVE-2016-3137 + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org + +v1 - add sanity check +v2 - add error logging +v3 - correct error message +--- + drivers/usb/serial/cypress_m8.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c +index 01bf53392819..5e25443fe4ef 100644 +--- a/drivers/usb/serial/cypress_m8.c ++++ b/drivers/usb/serial/cypress_m8.c +@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) + struct usb_serial *serial = port->serial; + struct cypress_private *priv; + ++ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { ++ dev_err(&port->dev, "A required endpoint is missing\n"); ++ return -ENODEV; ++ } ++ + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); + if (!priv) + return -ENOMEM; +@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) + cypress_set_termios(tty, port, &priv->tmp_termios); + + /* setup the port and start reading from the device */ +- if (!port->interrupt_in_urb) { +- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", +- __func__); +- return -1; +- } +- + usb_fill_int_urb(port->interrupt_in_urb, serial->dev, + usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), + port->interrupt_in_urb->transfer_buffer, +-- +2.5.0 + |