diff options
| -rw-r--r-- | USB-whiteheat-fix-potential-null-deref-at-probe.patch | 81 | ||||
| -rw-r--r-- | kernel.spec | 10 |
2 files changed, 89 insertions, 2 deletions
diff --git a/USB-whiteheat-fix-potential-null-deref-at-probe.patch b/USB-whiteheat-fix-potential-null-deref-at-probe.patch new file mode 100644 index 000000000..00fd5578c --- /dev/null +++ b/USB-whiteheat-fix-potential-null-deref-at-probe.patch @@ -0,0 +1,81 @@ +From 10d98bced414c6fc1d09db123e7f762d91b5ebea Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Wed, 23 Sep 2015 11:41:42 -0700 +Subject: [PATCH] USB: whiteheat: fix potential null-deref at probe + +Fix potential null-pointer dereference at probe by making sure that the +required endpoints are present. + +The whiteheat driver assumes there are at least five pairs of bulk +endpoints, of which the final pair is used for the "command port". An +attempt to bind to an interface with fewer bulk endpoints would +currently lead to an oops. + +Fixes CVE-2015-5257. + +Reported-by: Moein Ghasemzadeh <moein@istuary.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +--- + drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c +index 6c3734d2b45a..d3ea90bef84d 100644 +--- a/drivers/usb/serial/whiteheat.c ++++ b/drivers/usb/serial/whiteheat.c +@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial, + static int whiteheat_firmware_attach(struct usb_serial *serial); + + /* function prototypes for the Connect Tech WhiteHEAT serial converter */ ++static int whiteheat_probe(struct usb_serial *serial, ++ const struct usb_device_id *id); + static int whiteheat_attach(struct usb_serial *serial); + static void whiteheat_release(struct usb_serial *serial); + static int whiteheat_port_probe(struct usb_serial_port *port); +@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = { + .description = "Connect Tech - WhiteHEAT", + .id_table = id_table_std, + .num_ports = 4, ++ .probe = whiteheat_probe, + .attach = whiteheat_attach, + .release = whiteheat_release, + .port_probe = whiteheat_port_probe, +@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial) + /***************************************************************************** + * Connect Tech's White Heat serial driver functions + *****************************************************************************/ ++ ++static int whiteheat_probe(struct usb_serial *serial, ++ const struct usb_device_id *id) ++{ ++ struct usb_host_interface *iface_desc; ++ struct usb_endpoint_descriptor *endpoint; ++ size_t num_bulk_in = 0; ++ size_t num_bulk_out = 0; ++ size_t min_num_bulk; ++ unsigned int i; ++ ++ iface_desc = serial->interface->cur_altsetting; ++ ++ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { ++ endpoint = &iface_desc->endpoint[i].desc; ++ if (usb_endpoint_is_bulk_in(endpoint)) ++ ++num_bulk_in; ++ if (usb_endpoint_is_bulk_out(endpoint)) ++ ++num_bulk_out; ++ } ++ ++ min_num_bulk = COMMAND_PORT + 1; ++ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk) ++ return -ENODEV; ++ ++ return 0; ++} ++ + static int whiteheat_attach(struct usb_serial *serial) + { + struct usb_serial_port *command_port; +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 1e7d0e29e..bba4af47a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -587,11 +587,14 @@ Patch509: ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch Patch520: ARM-dts-Fix-Makefile-target-for-sun4i-a10-itead-itea.patch -Patch904: kdbus.patch - #rhbz 1263762 Patch526: 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch +#CVE-2015-5257 rhbz 1265607 1265612 +Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch + +Patch904: kdbus.patch + # END OF PATCH DEFINITIONS %endif @@ -2035,6 +2038,9 @@ fi # # %changelog +* Thu Sep 24 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-5257 Null ptr deref in usb whiteheat driver (rhbz 1265607 1265612) + * Tue Sep 22 2015 Laura Abbott <labbott@redhat.com> - 4.3.0-0.rc2.git1.1 - Linux v4.3-rc2-19-gbcee19f - Reenable debugging options. |