diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-09-13 13:47:11 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2016-09-13 15:43:31 +0200 |
commit | 07803ad12e6fcc5367f8107ea04eae9af0846fc0 (patch) | |
tree | 1b7c62bf7262e5070de297a934a124ff51e14aab | |
parent | 6d95f99420e5dc05fc7319b6e3e85eec29a3e080 (diff) | |
download | meta-enea-bsp-arm-07803ad12e6fcc5367f8107ea04eae9af0846fc0.tar.gz |
kernel: CVE-2016-3136
Crash on invalid USB device descriptors (mct_u232 driver)
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3136
Reference to upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f9dbb3666b3ddb5f9a7e44a433383cb6880a03f5
Signen-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch | 52 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-ls1_3.12.bbappend | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch b/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch new file mode 100644 index 0000000..6821435 --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From f9dbb3666b3ddb5f9a7e44a433383cb6880a03f5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Oliver Neukum <oneukum@suse.com> | ||
3 | Date: Thu, 31 Mar 2016 12:04:24 -0400 | ||
4 | Subject: USB: mct_u232: add sanity checking in probe | ||
5 | |||
6 | commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream. | ||
7 | |||
8 | An attack using the lack of sanity checking in probe is known. This | ||
9 | patch checks for the existence of a second port. | ||
10 | |||
11 | CVE: CVE-2016-3136 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Oliver Neukum <ONeukum@suse.com> | ||
15 | [johan: add error message ] | ||
16 | Signed-off-by: Johan Hovold <johan@kernel.org> | ||
17 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
18 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
19 | --- | ||
20 | drivers/usb/serial/mct_u232.c | 9 ++++++++- | ||
21 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c | ||
24 | index 6a15adf..c14c29f 100644 | ||
25 | --- a/drivers/usb/serial/mct_u232.c | ||
26 | +++ b/drivers/usb/serial/mct_u232.c | ||
27 | @@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port, | ||
28 | |||
29 | static int mct_u232_port_probe(struct usb_serial_port *port) | ||
30 | { | ||
31 | + struct usb_serial *serial = port->serial; | ||
32 | struct mct_u232_private *priv; | ||
33 | |||
34 | + /* check first to simplify error handling */ | ||
35 | + if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { | ||
36 | + dev_err(&port->dev, "expected endpoint missing\n"); | ||
37 | + return -ENODEV; | ||
38 | + } | ||
39 | + | ||
40 | priv = kzalloc(sizeof(*priv), GFP_KERNEL); | ||
41 | if (!priv) | ||
42 | return -ENOMEM; | ||
43 | |||
44 | /* Use second interrupt-in endpoint for reading. */ | ||
45 | - priv->read_urb = port->serial->port[1]->interrupt_in_urb; | ||
46 | + priv->read_urb = serial->port[1]->interrupt_in_urb; | ||
47 | priv->read_urb->context = port; | ||
48 | |||
49 | spin_lock_init(&priv->lock); | ||
50 | -- | ||
51 | cgit v0.12 | ||
52 | |||
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index b04933d..8bc21d4 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend | |||
@@ -7,6 +7,7 @@ SRC_URI += "file://ls1021aiot.dts \ | |||
7 | file://0002-watchdog-fix-errata-err004346.patch \ | 7 | file://0002-watchdog-fix-errata-err004346.patch \ |
8 | file://ppp-CVE-2015-8569.patch \ | 8 | file://ppp-CVE-2015-8569.patch \ |
9 | file://net-CVE-2016-5696.patch \ | 9 | file://net-CVE-2016-5696.patch \ |
10 | file://CVE-2016-3136.patch \ | ||
10 | " | 11 | " |
11 | 12 | ||
12 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" | 13 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" |