USB: usbtest: CVE-2017-16532

usb: usbtest: fix NULL pointer dereference References: https://nvd.nist.gov/vuln/detail/CVE-2017-16532 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c80f9e4a588f1925b07134bb2e3689335f6c6d8 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=8cf061d919e2102d0de0379bafea6cce1405d786 Change-Id: I988e0689224b6b5c0105fecf4e753516b8a9fe92 Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
author: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:33:58 +0100
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:37:07 +0100
commit: 062a0edacf29e234b60d582dd38697793d8efb61 (patch)
tree: dd62f403badf2c8125e1ce1e04b289cfb68316cb
parent: 2a790eef3b2f6607ef5e8b1c041ba5f77717e41c (diff)
download: enea-kernel-cache-062a0edacf29e234b60d582dd38697793d8efb61.tar.gz
1 files changed, 49 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16532.patch b/patches/cve/CVE-2017-16532.patch
new file mode 100644
index 0000000..b72f9e2
--- /dev/null
+++ b/patches/cve/CVE-2017-16532.patch
@@ -0,0 +1,49 @@
+From 8cf061d919e2102d0de0379bafea6cce1405d786 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 29 Sep 2017 10:54:24 -0400
+Subject: usb: usbtest: fix NULL pointer dereference
+commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream.
+If the usbtest driver encounters a device with an IN bulk endpoint but
+no OUT bulk endpoint, it will try to dereference a NULL pointer
+(out->desc.bEndpointAddress).  The problem can be solved by adding a
+missing test.
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=8cf061d919e2102d0de0379bafea6cce1405d786]
+CVE: CVE-2017-16532
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
+---
+ drivers/usb/misc/usbtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
+index d94927e5623b..e31f72b3a22c 100644
+--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
+@@ -182,12 +182,13 @@ found:
+                        return tmp;
+        }
+ 
+-       if (in) {
+       if (in)
+                dev->in_pipe = usb_rcvbulkpipe(udev,
+                        in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+       if (out)
+                dev->out_pipe = usb_sndbulkpipe(udev,
+                        out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+-       }
+
+        if (iso_in) {
+                dev->iso_in = &iso_in->desc;
+                dev->in_iso_pipe = usb_rcvisocpipe(udev,
+-- 
+cgit 1.2-0.3.lf.el7
author	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:33:58 +0100
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:37:07 +0100
commit	062a0edacf29e234b60d582dd38697793d8efb61 (patch)
tree	dd62f403badf2c8125e1ce1e04b289cfb68316cb
parent	2a790eef3b2f6607ef5e8b1c041ba5f77717e41c (diff)
download	enea-kernel-cache-062a0edacf29e234b60d582dd38697793d8efb61.tar.gz

diff --git a/patches/cve/CVE-2017-16532.patch b/patches/cve/CVE-2017-16532.patch new file mode 100644 index 0000000..b72f9e2 --- /dev/null +++ b/patches/cve/CVE-2017-16532.patch
@@ -0,0 +1,49 @@
	1	From 8cf061d919e2102d0de0379bafea6cce1405d786 Mon Sep 17 00:00:00 2001
	2	From: Alan Stern <stern@rowland.harvard.edu>
	3	Date: Fri, 29 Sep 2017 10:54:24 -0400
	4	Subject: usb: usbtest: fix NULL pointer dereference
	5
	6	commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream.
	7
	8	If the usbtest driver encounters a device with an IN bulk endpoint but
	9	no OUT bulk endpoint, it will try to dereference a NULL pointer
	10	(out->desc.bEndpointAddress). The problem can be solved by adding a
	11	missing test.
	12
	13	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=8cf061d919e2102d0de0379bafea6cce1405d786]
	14	CVE: CVE-2017-16532
	15
	16	Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
	17	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	18	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	19	Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
	20	Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22	Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
	23	---
	24	drivers/usb/misc/usbtest.c \| 5 +++--
	25	1 file changed, 3 insertions(+), 2 deletions(-)
	26
	27	diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
	28	index d94927e5623b..e31f72b3a22c 100644
	29	--- a/drivers/usb/misc/usbtest.c
	30	+++ b/drivers/usb/misc/usbtest.c
	31	@@ -182,12 +182,13 @@ found:
	32	return tmp;
	33	}
	34
	35	- if (in) {
	36	+ if (in)
	37	dev->in_pipe = usb_rcvbulkpipe(udev,
	38	in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
	39	+ if (out)
	40	dev->out_pipe = usb_sndbulkpipe(udev,
	41	out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
	42	- }
	43	+
	44	if (iso_in) {
	45	dev->iso_in = &iso_in->desc;
	46	dev->in_iso_pipe = usb_rcvisocpipe(udev,
	47	--
	48	cgit 1.2-0.3.lf.el7
	49