summaryrefslogtreecommitdiffstats
path: root/recipes-kernel/linux
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-01-21 13:14:30 +0100
committerTudor Florea <tudor.florea@enea.com>2016-01-22 03:17:45 +0100
commitac8af89d18d9ea12747354bbb8f34dc04c6613e9 (patch)
treec3328fce267c7dbf2d399c74bf8616f1bc0ba602 /recipes-kernel/linux
parenta7516bc90a45e8f16f9a83e0abbb420447150984 (diff)
downloadmeta-hierofalcon-ac8af89d18d9ea12747354bbb8f34dc04c6613e9.tar.gz
usb-whiteheat: CVE-2015-5257
Fixes NULL pointer dereference in USB WhiteHEAT serial. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5257 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=44f73be485f66dfeca7c6a5e334a7a11b97a4151 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r--recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch85
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_3.19.bb1
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_4.1.bb1
3 files changed, 87 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch
new file mode 100644
index 0000000..1fb8ac5
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch
@@ -0,0 +1,85 @@
1From 44f73be485f66dfeca7c6a5e334a7a11b97a4151 Mon Sep 17 00:00:00 2001
2From: Johan Hovold <johan@kernel.org>
3Date: Wed, 23 Sep 2015 11:41:42 -0700
4Subject: USB: whiteheat: fix potential null-deref at probe
5
6commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
7
8Fix potential null-pointer dereference at probe by making sure that the
9required endpoints are present.
10
11The whiteheat driver assumes there are at least five pairs of bulk
12endpoints, of which the final pair is used for the "command port". An
13attempt to bind to an interface with fewer bulk endpoints would
14currently lead to an oops.
15
16Fixes CVE-2015-5257.
17Upstream-Status: Backport
18
19Reported-by: Moein Ghasemzadeh <moein@istuary.com>
20Signed-off-by: Johan Hovold <johan@kernel.org>
21Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
22igned-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
25 1 file changed, 31 insertions(+)
26
27diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
28index 6c3734d..d3ea90b 100644
29--- a/drivers/usb/serial/whiteheat.c
30+++ b/drivers/usb/serial/whiteheat.c
31@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
32 static int whiteheat_firmware_attach(struct usb_serial *serial);
33
34 /* function prototypes for the Connect Tech WhiteHEAT serial converter */
35+static int whiteheat_probe(struct usb_serial *serial,
36+ const struct usb_device_id *id);
37 static int whiteheat_attach(struct usb_serial *serial);
38 static void whiteheat_release(struct usb_serial *serial);
39 static int whiteheat_port_probe(struct usb_serial_port *port);
40@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
41 .description = "Connect Tech - WhiteHEAT",
42 .id_table = id_table_std,
43 .num_ports = 4,
44+ .probe = whiteheat_probe,
45 .attach = whiteheat_attach,
46 .release = whiteheat_release,
47 .port_probe = whiteheat_port_probe,
48@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
49 /*****************************************************************************
50 * Connect Tech's White Heat serial driver functions
51 *****************************************************************************/
52+
53+static int whiteheat_probe(struct usb_serial *serial,
54+ const struct usb_device_id *id)
55+{
56+ struct usb_host_interface *iface_desc;
57+ struct usb_endpoint_descriptor *endpoint;
58+ size_t num_bulk_in = 0;
59+ size_t num_bulk_out = 0;
60+ size_t min_num_bulk;
61+ unsigned int i;
62+
63+ iface_desc = serial->interface->cur_altsetting;
64+
65+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
66+ endpoint = &iface_desc->endpoint[i].desc;
67+ if (usb_endpoint_is_bulk_in(endpoint))
68+ ++num_bulk_in;
69+ if (usb_endpoint_is_bulk_out(endpoint))
70+ ++num_bulk_out;
71+ }
72+
73+ min_num_bulk = COMMAND_PORT + 1;
74+ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
75+ return -ENODEV;
76+
77+ return 0;
78+}
79+
80 static int whiteheat_attach(struct usb_serial *serial)
81 {
82 struct usb_serial_port *command_port;
83--
84cgit v0.12
85
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 895a08c..6e44bbc 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
27 file://vhost-CVE-2015-6252.patch \ 27 file://vhost-CVE-2015-6252.patch \
28 file://ipv6-CVE-2015-2922.patch \ 28 file://ipv6-CVE-2015-2922.patch \
29 file://ipv4-CVE-2015-3636.patch \ 29 file://ipv4-CVE-2015-3636.patch \
30 file://usb-whiteheat-CVE-2015-5257.patch \
30 " 31 "
31 32
32S = "${WORKDIR}/git" 33S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 6b160d8..7c5c537 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
26 file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ 26 file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
27 file://md-CVE-2015-5697.patch \ 27 file://md-CVE-2015-5697.patch \
28 file://vhost-CVE-2015-6252.patch \ 28 file://vhost-CVE-2015-6252.patch \
29 file://usb-whiteheat-CVE-2015-5257.patch \
29 " 30 "
30 31
31S = "${WORKDIR}/git" 32S = "${WORKDIR}/git"