From 4c948d6d0ba0213e4abc29f4e0863dc4ef211507 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 18 Mar 2016 10:32:05 -0400 Subject: CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) --- ...owermate-fix-oops-with-malicious-USB-desc.patch | 38 ++++++++++++++++++++++ kernel.spec | 4 +++ 2 files changed, 42 insertions(+) create mode 100644 USB-input-powermate-fix-oops-with-malicious-USB-desc.patch diff --git a/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch new file mode 100644 index 000000000..7de890e1b --- /dev/null +++ b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch @@ -0,0 +1,38 @@ +From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 14 Mar 2016 10:02:51 -0400 +Subject: [PATCH] USB: input: powermate: fix oops with malicious USB + descriptors + +The powermate driver expects at least one valid USB endpoint in its +probe function. If given malicious descriptors that specify 0 for +the number of endpoints, it will crash. Validate the number of +endpoints on the interface before using them. + +The full report for this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/85 + +Reported-by: Ralf Spenneberg +Cc: stable +Signed-off-by: Josh Boyer +--- + drivers/input/misc/powermate.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c +index 63b539d3daba..84909a12ff36 100644 +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ if (interface->desc.bNumEndpoints < 1) ++ return -EINVAL; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -EIO; +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 550698e81..e6387ff52 100644 --- a/kernel.spec +++ b/kernel.spec @@ -634,6 +634,9 @@ Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch #CVE-2016-3137 rhbz 1317010 1316996 Patch672: cypress_m8-add-sanity-checking.patch +#CVE-2016-2186 rhbz 1317015 1317464 +Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch + # END OF PATCH DEFINITIONS %endif @@ -2156,6 +2159,7 @@ fi # %changelog * Fri Mar 18 2016 Josh Boyer +- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996) - CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) -- cgit