usb-whiteheat: CVE-2015-5257

Fixes NULL pointer dereference in USB WhiteHEAT serial. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5257 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=fe6689e03318d5745d88328395fd326e08238533 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-01-21 11:10:26 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2016-01-22 01:48:38 +0100
commit: b743c20e004d23a8eb0f5f7553a0c709284336c0 (patch)
tree: 9ed6130219e8c9e4fe35006cc5b98ad6a6f0377b
parent: 7456bb37db08a401a05ed06009a9e2b3572787be (diff)
download: meta-enea-b743c20e004d23a8eb0f5f7553a0c709284336c0.tar.gz
3 files changed, 87 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch
new file mode 100644
index 0000000..e1fd45f
--- /dev/null
+++ b/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch
@@ -0,0 +1,85 @@
+From fe6689e03318d5745d88328395fd326e08238533 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Sep 2015 11:41:42 -0700
+Subject: USB: whiteheat: fix potential null-deref at probe
+commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
+Fix potential null-pointer dereference at probe by making sure that the
+required endpoints are present.
+The whiteheat driver assumes there are at least five pairs of bulk
+endpoints, of which the final pair is used for the "command port". An
+attempt to bind to an interface with fewer bulk endpoints would
+currently lead to an oops.
+Fixes CVE-2015-5257.
+Upstream-Status: Backport
+Reported-by: Moein Ghasemzadeh <moein@istuary.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index 6c3734d..d3ea90b 100644
+--- a/drivers/usb/serial/whiteheat.c
+++ b/drivers/usb/serial/whiteheat.c
+@@ -80,6 +80,8 @@ static int  whiteheat_firmware_download(struct usb_serial *serial,
+ static int  whiteheat_firmware_attach(struct usb_serial *serial);
+ 
+ /* function prototypes for the Connect Tech WhiteHEAT serial converter */
+static int whiteheat_probe(struct usb_serial *serial,
+                               const struct usb_device_id *id);
+ static int  whiteheat_attach(struct usb_serial *serial);
+ static void whiteheat_release(struct usb_serial *serial);
+ static int  whiteheat_port_probe(struct usb_serial_port *port);
+@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
+        .description =          "Connect Tech - WhiteHEAT",
+        .id_table =             id_table_std,
+        .num_ports =            4,
+       .probe =                whiteheat_probe,
+        .attach =               whiteheat_attach,
+        .release =              whiteheat_release,
+        .port_probe =           whiteheat_port_probe,
+@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
+ /*****************************************************************************
+  * Connect Tech's White Heat serial driver functions
+  *****************************************************************************/
+
+static int whiteheat_probe(struct usb_serial *serial,
+                               const struct usb_device_id *id)
+{
+       struct usb_host_interface *iface_desc;
+       struct usb_endpoint_descriptor *endpoint;
+       size_t num_bulk_in = 0;
+       size_t num_bulk_out = 0;
+       size_t min_num_bulk;
+       unsigned int i;
+
+       iface_desc = serial->interface->cur_altsetting;
+
+       for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
+               endpoint = &iface_desc->endpoint[i].desc;
+               if (usb_endpoint_is_bulk_in(endpoint))
+                       ++num_bulk_in;
+               if (usb_endpoint_is_bulk_out(endpoint))
+                       ++num_bulk_out;
+       }
+
+       min_num_bulk = COMMAND_PORT + 1;
+       if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
+               return -ENODEV;
+
+       return 0;
+}
+
+ static int whiteheat_attach(struct usb_serial *serial)
+ {
+        struct usb_serial_port *command_port;
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 62038e5..a0dfa69 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -13,6 +13,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
    file://eCryptfs-CVE-2014-9683.patch \
    file://netfilter-CVE-2014-9715.patch \
    file://net-sctp-CVE-2015-1421.patch \
+    file://usb-whiteheat-CVE-2015-5257.patch \
    "
 SRC_URI += "file://cfg/00013-localversion.cfg \
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 10ea463..4b9e525 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -19,4 +19,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
            file://ipv6-CVE-2015-2922.patch \
            file://ipv4-CVE-2015-3636.patch \
            file://udf-CVE-2015-4167.patch \
+            file://usb-whiteheat-CVE-2015-5257.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-01-21 11:10:26 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2016-01-22 01:48:38 +0100
commit	b743c20e004d23a8eb0f5f7553a0c709284336c0 (patch)
tree	9ed6130219e8c9e4fe35006cc5b98ad6a6f0377b
parent	7456bb37db08a401a05ed06009a9e2b3572787be (diff)
download	meta-enea-b743c20e004d23a8eb0f5f7553a0c709284336c0.tar.gz

diff --git a/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch new file mode 100644 index 0000000..e1fd45f --- /dev/null +++ b/recipes-kernel/linux/files/usb-whiteheat-CVE-2015-5257.patch
@@ -0,0 +1,85 @@
		1	From fe6689e03318d5745d88328395fd326e08238533 Mon Sep 17 00:00:00 2001
		2	From: Johan Hovold <johan@kernel.org>
		3	Date: Wed, 23 Sep 2015 11:41:42 -0700
		4	Subject: USB: whiteheat: fix potential null-deref at probe
		5
		6	commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
		7
		8	Fix potential null-pointer dereference at probe by making sure that the
		9	required endpoints are present.
		10
		11	The whiteheat driver assumes there are at least five pairs of bulk
		12	endpoints, of which the final pair is used for the "command port". An
		13	attempt to bind to an interface with fewer bulk endpoints would
		14	currently lead to an oops.
		15
		16	Fixes CVE-2015-5257.
		17	Upstream-Status: Backport
		18
		19	Reported-by: Moein Ghasemzadeh <moein@istuary.com>
		20	Signed-off-by: Johan Hovold <johan@kernel.org>
		21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	drivers/usb/serial/whiteheat.c \| 31 +++++++++++++++++++++++++++++++
		25	1 file changed, 31 insertions(+)
		26
		27	diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
		28	index 6c3734d..d3ea90b 100644
		29	--- a/drivers/usb/serial/whiteheat.c
		30	+++ b/drivers/usb/serial/whiteheat.c
		31	@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
		32	static int whiteheat_firmware_attach(struct usb_serial *serial);
		33
		34	/* function prototypes for the Connect Tech WhiteHEAT serial converter */
		35	+static int whiteheat_probe(struct usb_serial *serial,
		36	+ const struct usb_device_id *id);
		37	static int whiteheat_attach(struct usb_serial *serial);
		38	static void whiteheat_release(struct usb_serial *serial);
		39	static int whiteheat_port_probe(struct usb_serial_port *port);
		40	@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
		41	.description = "Connect Tech - WhiteHEAT",
		42	.id_table = id_table_std,
		43	.num_ports = 4,
		44	+ .probe = whiteheat_probe,
		45	.attach = whiteheat_attach,
		46	.release = whiteheat_release,
		47	.port_probe = whiteheat_port_probe,
		48	@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
		49	/*****************************************************************************
		50	* Connect Tech's White Heat serial driver functions
		51	*****************************************************************************/
		52	+
		53	+static int whiteheat_probe(struct usb_serial *serial,
		54	+ const struct usb_device_id *id)
		55	+{
		56	+ struct usb_host_interface *iface_desc;
		57	+ struct usb_endpoint_descriptor *endpoint;
		58	+ size_t num_bulk_in = 0;
		59	+ size_t num_bulk_out = 0;
		60	+ size_t min_num_bulk;
		61	+ unsigned int i;
		62	+
		63	+ iface_desc = serial->interface->cur_altsetting;
		64	+
		65	+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
		66	+ endpoint = &iface_desc->endpoint[i].desc;
		67	+ if (usb_endpoint_is_bulk_in(endpoint))
		68	+ ++num_bulk_in;
		69	+ if (usb_endpoint_is_bulk_out(endpoint))
		70	+ ++num_bulk_out;
		71	+ }
		72	+
		73	+ min_num_bulk = COMMAND_PORT + 1;
		74	+ if (num_bulk_in < min_num_bulk \|\| num_bulk_out < min_num_bulk)
		75	+ return -ENODEV;
		76	+
		77	+ return 0;
		78	+}
		79	+
		80	static int whiteheat_attach(struct usb_serial *serial)
		81	{
		82	struct usb_serial_port *command_port;
		83	--
		84	cgit v0.12
		85


diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 62038e5..a0dfa69 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -13,6 +13,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
13	file://eCryptfs-CVE-2014-9683.patch \	13	file://eCryptfs-CVE-2014-9683.patch \
14	file://netfilter-CVE-2014-9715.patch \	14	file://netfilter-CVE-2014-9715.patch \
15	file://net-sctp-CVE-2015-1421.patch \	15	file://net-sctp-CVE-2015-1421.patch \
		16	file://usb-whiteheat-CVE-2015-5257.patch \
16	"	17	"
17		18
18	SRC_URI += "file://cfg/00013-localversion.cfg \	19	SRC_URI += "file://cfg/00013-localversion.cfg \


diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 10ea463..4b9e525 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -19,4 +19,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
19	file://ipv6-CVE-2015-2922.patch \	19	file://ipv6-CVE-2015-2922.patch \
20	file://ipv4-CVE-2015-3636.patch \	20	file://ipv4-CVE-2015-3636.patch \
21	file://udf-CVE-2015-4167.patch \	21	file://udf-CVE-2015-4167.patch \
		22	file://usb-whiteheat-CVE-2015-5257.patch \
22	"	23	"