kernel: CVE-2016-3136

Crash on invalid USB device descriptors (mct_u232 driver) Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3136 Reference to upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f9dbb3666b3ddb5f9a7e44a433383cb6880a03f5 Signen-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-09-13 13:47:11 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2016-09-13 15:43:31 +0200
commit: 07803ad12e6fcc5367f8107ea04eae9af0846fc0 (patch)
tree: 1b7c62bf7262e5070de297a934a124ff51e14aab
parent: 6d95f99420e5dc05fc7319b6e3e85eec29a3e080 (diff)
download: meta-enea-bsp-arm-07803ad12e6fcc5367f8107ea04eae9af0846fc0.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch b/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch
new file mode 100644
index 0000000..6821435
--- /dev/null
+++ b/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch
@@ -0,0 +1,52 @@
+From f9dbb3666b3ddb5f9a7e44a433383cb6880a03f5 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 31 Mar 2016 12:04:24 -0400
+Subject: USB: mct_u232: add sanity checking in probe
+commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.
+An attack using the lack of sanity checking in probe is known. This
+patch checks for the existence of a second port.
+CVE: CVE-2016-3136
+Upstream-Status: Backport
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+[johan: add error message ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/usb/serial/mct_u232.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 6a15adf..c14c29f 100644
+--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
+@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port,
+ 
+ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+       struct usb_serial *serial = port->serial;
+        struct mct_u232_private *priv;
+ 
+       /* check first to simplify error handling */
+       if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+               dev_err(&port->dev, "expected endpoint missing\n");
+               return -ENODEV;
+       }
+
+        priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+        if (!priv)
+                return -ENOMEM;
+ 
+        /* Use second interrupt-in endpoint for reading. */
+-       priv->read_urb = port->serial->port[1]->interrupt_in_urb;
+       priv->read_urb = serial->port[1]->interrupt_in_urb;
+        priv->read_urb->context = port;
+ 
+        spin_lock_init(&priv->lock);
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend
index b04933d..8bc21d4 100644
--- a/recipes-kernel/linux/linux-ls1_3.12.bbappend
+++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -7,6 +7,7 @@ SRC_URI += "file://ls1021aiot.dts \
            file://0002-watchdog-fix-errata-err004346.patch \
            file://ppp-CVE-2015-8569.patch \
            file://net-CVE-2016-5696.patch \
+            file://CVE-2016-3136.patch \
           "
 # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-09-13 13:47:11 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2016-09-13 15:43:31 +0200
commit	07803ad12e6fcc5367f8107ea04eae9af0846fc0 (patch)
tree	1b7c62bf7262e5070de297a934a124ff51e14aab
parent	6d95f99420e5dc05fc7319b6e3e85eec29a3e080 (diff)
download	meta-enea-bsp-arm-07803ad12e6fcc5367f8107ea04eae9af0846fc0.tar.gz

diff --git a/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch b/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch new file mode 100644 index 0000000..6821435 --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/CVE-2016-3136.patch
@@ -0,0 +1,52 @@
		1	From f9dbb3666b3ddb5f9a7e44a433383cb6880a03f5 Mon Sep 17 00:00:00 2001
		2	From: Oliver Neukum <oneukum@suse.com>
		3	Date: Thu, 31 Mar 2016 12:04:24 -0400
		4	Subject: USB: mct_u232: add sanity checking in probe
		5
		6	commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.
		7
		8	An attack using the lack of sanity checking in probe is known. This
		9	patch checks for the existence of a second port.
		10
		11	CVE: CVE-2016-3136
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: Oliver Neukum <ONeukum@suse.com>
		15	[johan: add error message ]
		16	Signed-off-by: Johan Hovold <johan@kernel.org>
		17	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		19	---
		20	drivers/usb/serial/mct_u232.c \| 9 ++++++++-
		21	1 file changed, 8 insertions(+), 1 deletion(-)
		22
		23	diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
		24	index 6a15adf..c14c29f 100644
		25	--- a/drivers/usb/serial/mct_u232.c
		26	+++ b/drivers/usb/serial/mct_u232.c
		27	@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port,
		28
		29	static int mct_u232_port_probe(struct usb_serial_port *port)
		30	{
		31	+ struct usb_serial *serial = port->serial;
		32	struct mct_u232_private *priv;
		33
		34	+ /* check first to simplify error handling */
		35	+ if (!serial->port[1] \|\| !serial->port[1]->interrupt_in_urb) {
		36	+ dev_err(&port->dev, "expected endpoint missing\n");
		37	+ return -ENODEV;
		38	+ }
		39	+
		40	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
		41	if (!priv)
		42	return -ENOMEM;
		43
		44	/* Use second interrupt-in endpoint for reading. */
		45	- priv->read_urb = port->serial->port[1]->interrupt_in_urb;
		46	+ priv->read_urb = serial->port[1]->interrupt_in_urb;
		47	priv->read_urb->context = port;
		48
		49	spin_lock_init(&priv->lock);
		50	--
		51	cgit v0.12
		52


diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index b04933d..8bc21d4 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -7,6 +7,7 @@ SRC_URI += "file://ls1021aiot.dts \
7	file://0002-watchdog-fix-errata-err004346.patch \	7	file://0002-watchdog-fix-errata-err004346.patch \
8	file://ppp-CVE-2015-8569.patch \	8	file://ppp-CVE-2015-8569.patch \
9	file://net-CVE-2016-5696.patch \	9	file://net-CVE-2016-5696.patch \
		10	file://CVE-2016-3136.patch \
10	"	11	"
11		12
12	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"	13	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"