summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-04-01 13:50:04 +0200
committerTudor Florea <tudor.florea@enea.com>2016-04-07 01:14:08 +0200
commit4e3dbf27ce3d119bb7267c57f5dfb46c0b9b0da3 (patch)
tree4e1456d0d49179cb5cebe78d1c277b48e3f85fe9
parent969125816231fc089be31e02c804f594713e8f56 (diff)
downloadmeta-hierofalcon-4e3dbf27ce3d119bb7267c57f5dfb46c0b9b0da3.tar.gz
kernel/usb: CVE-2015-8816
Fixes USB hub invalid memory access in hub_activate(). References: http://www.spinics.net/lists/linux-usb/msg132311.html http://seclists.org/oss-sec/2016/q1/404 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8816 Reference to upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch /?id=a7e83b16c8d83a75c58989e845c664ecaa6e0aa6 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch88
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_4.1.bb1
2 files changed, 89 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch
new file mode 100644
index 0000000..2949ced
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch
@@ -0,0 +1,88 @@
1From a7e83b16c8d83a75c58989e845c664ecaa6e0aa6 Mon Sep 17 00:00:00 2001
2From: Alan Stern <stern@rowland.harvard.edu>
3Date: Wed, 16 Dec 2015 13:32:38 -0500
4Subject: USB: fix invalid memory access in hub_activate()
5
6commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream.
7
8Commit 8520f38099cc ("USB: change hub initialization sleeps to
9delayed_work") changed the hub_activate() routine to make part of it
10run in a workqueue. However, the commit failed to take a reference to
11the usb_hub structure or to lock the hub interface while doing so. As
12a result, if a hub is plugged in and quickly unplugged before the work
13routine can run, the routine will try to access memory that has been
14deallocated. Or, if the hub is unplugged while the routine is
15running, the memory may be deallocated while it is in active use.
16
17This patch fixes the problem by taking a reference to the usb_hub at
18the start of hub_activate() and releasing it at the end (when the work
19is finished), and by locking the hub interface while the work routine
20is running. It also adds a check at the start of the routine to see
21if the hub has already been disconnected, in which nothing should be
22done.
23
24Fixes CVE-2015-8816.
25Upstream-Status: Backport
26
27Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
28Reported-by: Alexandru Cornea <alexandru.cornea@intel.com>
29Tested-by: Alexandru Cornea <alexandru.cornea@intel.com>
30Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work")
31CC: <stable@vger.kernel.org>
32Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
33Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
34---
35 drivers/usb/core/hub.c | 22 +++++++++++++++++++---
36 1 file changed, 19 insertions(+), 3 deletions(-)
37
38diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
39index d68c4a4..ee11b30 100644
40--- a/drivers/usb/core/hub.c
41+++ b/drivers/usb/core/hub.c
42@@ -1034,10 +1034,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
43 unsigned delay;
44
45 /* Continue a partial initialization */
46- if (type == HUB_INIT2)
47- goto init2;
48- if (type == HUB_INIT3)
49+ if (type == HUB_INIT2 || type == HUB_INIT3) {
50+ device_lock(hub->intfdev);
51+
52+ /* Was the hub disconnected while we were waiting? */
53+ if (hub->disconnected) {
54+ device_unlock(hub->intfdev);
55+ kref_put(&hub->kref, hub_release);
56+ return;
57+ }
58+ if (type == HUB_INIT2)
59+ goto init2;
60 goto init3;
61+ }
62+ kref_get(&hub->kref);
63
64 /* The superspeed hub except for root hub has to use Hub Depth
65 * value as an offset into the route string to locate the bits
66@@ -1235,6 +1245,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
67 queue_delayed_work(system_power_efficient_wq,
68 &hub->init_work,
69 msecs_to_jiffies(delay));
70+ device_unlock(hub->intfdev);
71 return; /* Continues at init3: below */
72 } else {
73 msleep(delay);
74@@ -1256,6 +1267,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
75 /* Allow autosuspend if it was suppressed */
76 if (type <= HUB_INIT3)
77 usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
78+
79+ if (type == HUB_INIT2 || type == HUB_INIT3)
80+ device_unlock(hub->intfdev);
81+
82+ kref_put(&hub->kref, hub_release);
83 }
84
85 /* Implement the continuations for the delays above */
86--
87cgit v0.12
88
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index f0b6207..8112cdd 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -33,6 +33,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
33 file://virtio-net-CVE-2015-5156.patch \ 33 file://virtio-net-CVE-2015-5156.patch \
34 file://ipc-CVE-2015-7613.patch \ 34 file://ipc-CVE-2015-7613.patch \
35 file://net-unix-CVE-2013-7446.patch \ 35 file://net-unix-CVE-2013-7446.patch \
36 file://usb-CVE-2015-8816.patch \
36 " 37 "
37 38
38S = "${WORKDIR}/git" 39S = "${WORKDIR}/git"