1 files changed, 51 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
new file mode 100644
index 0000000..0820807
--- /dev/null
+++ b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
+From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
+From: James Forshaw <forshaw@google.com>
+Date: Sat, 23 Aug 2014 14:39:48 -0700
+Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
+ response
+This patch fixes a potential security issue in the whiteheat USB driver
+which might allow a local attacker to cause kernel memory corrpution. This
+is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
+EHCI and XHCI busses it's possible to craft responses greater than 64
+bytes leading a buffer overflow.
+This fixes CVE-2014-3185
+Upstream-Status: Backport
+Signed-off-by: James Forshaw <forshaw@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/usb/serial/whiteheat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index e62f2df..6c3734d 100644
+--- a/drivers/usb/serial/whiteheat.c
+++ b/drivers/usb/serial/whiteheat.c
+@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
+                dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
+                return;
+        }
+       if (!urb->actual_length) {
+               dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
+               return;
+       }
+        if (status) {
+                dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
+                if (status != -ENOENT)
+@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
+                /* These are unsolicited reports from the firmware, hence no
+                   waiting command to wakeup */
+                dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
+-       } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
+       } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
+               (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
+                memcpy(command_info->result_buffer, &data[1],
+                                                urb->actual_length - 1);
+                command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch new file mode 100644 index 0000000..0820807 --- /dev/null +++ b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
	1	From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
	2	From: James Forshaw <forshaw@google.com>
	3	Date: Sat, 23 Aug 2014 14:39:48 -0700
	4	Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
	5	response
	6
	7	This patch fixes a potential security issue in the whiteheat USB driver
	8	which might allow a local attacker to cause kernel memory corrpution. This
	9	is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
	10	EHCI and XHCI busses it's possible to craft responses greater than 64
	11	bytes leading a buffer overflow.
	12
	13	This fixes CVE-2014-3185
	14	Upstream-Status: Backport
	15
	16	Signed-off-by: James Forshaw <forshaw@google.com>
	17	Cc: stable <stable@vger.kernel.org>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	19	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	20	---
	21	drivers/usb/serial/whiteheat.c \| 7 ++++++-
	22	1 file changed, 6 insertions(+), 1 deletion(-)
	23
	24	diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
	25	index e62f2df..6c3734d 100644
	26	--- a/drivers/usb/serial/whiteheat.c
	27	+++ b/drivers/usb/serial/whiteheat.c
	28	@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
	29	dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
	30	return;
	31	}
	32	+ if (!urb->actual_length) {
	33	+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
	34	+ return;
	35	+ }
	36	if (status) {
	37	dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
	38	if (status != -ENOENT)
	39	@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
	40	/* These are unsolicited reports from the firmware, hence no
	41	waiting command to wakeup */
	42	dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
	43	- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
	44	+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
	45	+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
	46	memcpy(command_info->result_buffer, &data[1],
	47	urb->actual_length - 1);
	48	command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
	49	--
	50	1.9.1
	51