diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-21 11:10:26 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-01-22 01:48:38 +0100 |
commit | b743c20e004d23a8eb0f5f7553a0c709284336c0 (patch) | |
tree | 9ed6130219e8c9e4fe35006cc5b98ad6a6f0377b | |
parent | 7456bb37db08a401a05ed06009a9e2b3572787be (diff) | |
download | meta-enea-b743c20e004d23a8eb0f5f7553a0c709284336c0.tar.gz |
usb-whiteheat: CVE-2015-5257
Fixes NULL pointer dereference in USB WhiteHEAT serial.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5257
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=fe6689e03318d5745d88328395fd326e08238533
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch | 85 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq-common.inc | 1 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
3 files changed, 87 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch new file mode 100644 index 0000000..e1fd45f --- /dev/null +++ b/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From fe6689e03318d5745d88328395fd326e08238533 Mon Sep 17 00:00:00 2001 | ||
2 | From: Johan Hovold <johan@kernel.org> | ||
3 | Date: Wed, 23 Sep 2015 11:41:42 -0700 | ||
4 | Subject: USB: whiteheat: fix potential null-deref at probe | ||
5 | |||
6 | commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream. | ||
7 | |||
8 | Fix potential null-pointer dereference at probe by making sure that the | ||
9 | required endpoints are present. | ||
10 | |||
11 | The whiteheat driver assumes there are at least five pairs of bulk | ||
12 | endpoints, of which the final pair is used for the "command port". An | ||
13 | attempt to bind to an interface with fewer bulk endpoints would | ||
14 | currently lead to an oops. | ||
15 | |||
16 | Fixes CVE-2015-5257. | ||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Reported-by: Moein Ghasemzadeh <moein@istuary.com> | ||
20 | Signed-off-by: Johan Hovold <johan@kernel.org> | ||
21 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++ | ||
25 | 1 file changed, 31 insertions(+) | ||
26 | |||
27 | diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c | ||
28 | index 6c3734d..d3ea90b 100644 | ||
29 | --- a/drivers/usb/serial/whiteheat.c | ||
30 | +++ b/drivers/usb/serial/whiteheat.c | ||
31 | @@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial, | ||
32 | static int whiteheat_firmware_attach(struct usb_serial *serial); | ||
33 | |||
34 | /* function prototypes for the Connect Tech WhiteHEAT serial converter */ | ||
35 | +static int whiteheat_probe(struct usb_serial *serial, | ||
36 | + const struct usb_device_id *id); | ||
37 | static int whiteheat_attach(struct usb_serial *serial); | ||
38 | static void whiteheat_release(struct usb_serial *serial); | ||
39 | static int whiteheat_port_probe(struct usb_serial_port *port); | ||
40 | @@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = { | ||
41 | .description = "Connect Tech - WhiteHEAT", | ||
42 | .id_table = id_table_std, | ||
43 | .num_ports = 4, | ||
44 | + .probe = whiteheat_probe, | ||
45 | .attach = whiteheat_attach, | ||
46 | .release = whiteheat_release, | ||
47 | .port_probe = whiteheat_port_probe, | ||
48 | @@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial) | ||
49 | /***************************************************************************** | ||
50 | * Connect Tech's White Heat serial driver functions | ||
51 | *****************************************************************************/ | ||
52 | + | ||
53 | +static int whiteheat_probe(struct usb_serial *serial, | ||
54 | + const struct usb_device_id *id) | ||
55 | +{ | ||
56 | + struct usb_host_interface *iface_desc; | ||
57 | + struct usb_endpoint_descriptor *endpoint; | ||
58 | + size_t num_bulk_in = 0; | ||
59 | + size_t num_bulk_out = 0; | ||
60 | + size_t min_num_bulk; | ||
61 | + unsigned int i; | ||
62 | + | ||
63 | + iface_desc = serial->interface->cur_altsetting; | ||
64 | + | ||
65 | + for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { | ||
66 | + endpoint = &iface_desc->endpoint[i].desc; | ||
67 | + if (usb_endpoint_is_bulk_in(endpoint)) | ||
68 | + ++num_bulk_in; | ||
69 | + if (usb_endpoint_is_bulk_out(endpoint)) | ||
70 | + ++num_bulk_out; | ||
71 | + } | ||
72 | + | ||
73 | + min_num_bulk = COMMAND_PORT + 1; | ||
74 | + if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk) | ||
75 | + return -ENODEV; | ||
76 | + | ||
77 | + return 0; | ||
78 | +} | ||
79 | + | ||
80 | static int whiteheat_attach(struct usb_serial *serial) | ||
81 | { | ||
82 | struct usb_serial_port *command_port; | ||
83 | -- | ||
84 | cgit v0.12 | ||
85 | |||
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 62038e5..a0dfa69 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc | |||
@@ -13,6 +13,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \ | |||
13 | file://eCryptfs-CVE-2014-9683.patch \ | 13 | file://eCryptfs-CVE-2014-9683.patch \ |
14 | file://netfilter-CVE-2014-9715.patch \ | 14 | file://netfilter-CVE-2014-9715.patch \ |
15 | file://net-sctp-CVE-2015-1421.patch \ | 15 | file://net-sctp-CVE-2015-1421.patch \ |
16 | file://usb-whiteheat-CVE-2015-5257.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | SRC_URI += "file://cfg/00013-localversion.cfg \ | 19 | SRC_URI += "file://cfg/00013-localversion.cfg \ |
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 10ea463..4b9e525 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -19,4 +19,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
19 | file://ipv6-CVE-2015-2922.patch \ | 19 | file://ipv6-CVE-2015-2922.patch \ |
20 | file://ipv4-CVE-2015-3636.patch \ | 20 | file://ipv4-CVE-2015-3636.patch \ |
21 | file://udf-CVE-2015-4167.patch \ | 21 | file://udf-CVE-2015-4167.patch \ |
22 | file://usb-whiteheat-CVE-2015-5257.patch \ | ||
22 | " | 23 | " |