diff options
Diffstat (limited to 'recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch')
-rw-r--r-- | recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch new file mode 100644 index 0000000..0820807 --- /dev/null +++ b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001 | ||
2 | From: James Forshaw <forshaw@google.com> | ||
3 | Date: Sat, 23 Aug 2014 14:39:48 -0700 | ||
4 | Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command | ||
5 | response | ||
6 | |||
7 | This patch fixes a potential security issue in the whiteheat USB driver | ||
8 | which might allow a local attacker to cause kernel memory corrpution. This | ||
9 | is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On | ||
10 | EHCI and XHCI busses it's possible to craft responses greater than 64 | ||
11 | bytes leading a buffer overflow. | ||
12 | |||
13 | This fixes CVE-2014-3185 | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: James Forshaw <forshaw@google.com> | ||
17 | Cc: stable <stable@vger.kernel.org> | ||
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
20 | --- | ||
21 | drivers/usb/serial/whiteheat.c | 7 ++++++- | ||
22 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c | ||
25 | index e62f2df..6c3734d 100644 | ||
26 | --- a/drivers/usb/serial/whiteheat.c | ||
27 | +++ b/drivers/usb/serial/whiteheat.c | ||
28 | @@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb) | ||
29 | dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__); | ||
30 | return; | ||
31 | } | ||
32 | + if (!urb->actual_length) { | ||
33 | + dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__); | ||
34 | + return; | ||
35 | + } | ||
36 | if (status) { | ||
37 | dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status); | ||
38 | if (status != -ENOENT) | ||
39 | @@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb) | ||
40 | /* These are unsolicited reports from the firmware, hence no | ||
41 | waiting command to wakeup */ | ||
42 | dev_dbg(&urb->dev->dev, "%s - event received\n", __func__); | ||
43 | - } else if (data[0] == WHITEHEAT_GET_DTR_RTS) { | ||
44 | + } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) && | ||
45 | + (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) { | ||
46 | memcpy(command_info->result_buffer, &data[1], | ||
47 | urb->actual_length - 1); | ||
48 | command_info->command_finished = WHITEHEAT_CMD_COMPLETE; | ||
49 | -- | ||
50 | 1.9.1 | ||
51 | |||