diff options
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch | 88 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 |
2 files changed, 89 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch new file mode 100644 index 0000000..2949ced --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/usb-CVE-2015-8816.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | From a7e83b16c8d83a75c58989e845c664ecaa6e0aa6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Stern <stern@rowland.harvard.edu> | ||
3 | Date: Wed, 16 Dec 2015 13:32:38 -0500 | ||
4 | Subject: USB: fix invalid memory access in hub_activate() | ||
5 | |||
6 | commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream. | ||
7 | |||
8 | Commit 8520f38099cc ("USB: change hub initialization sleeps to | ||
9 | delayed_work") changed the hub_activate() routine to make part of it | ||
10 | run in a workqueue. However, the commit failed to take a reference to | ||
11 | the usb_hub structure or to lock the hub interface while doing so. As | ||
12 | a result, if a hub is plugged in and quickly unplugged before the work | ||
13 | routine can run, the routine will try to access memory that has been | ||
14 | deallocated. Or, if the hub is unplugged while the routine is | ||
15 | running, the memory may be deallocated while it is in active use. | ||
16 | |||
17 | This patch fixes the problem by taking a reference to the usb_hub at | ||
18 | the start of hub_activate() and releasing it at the end (when the work | ||
19 | is finished), and by locking the hub interface while the work routine | ||
20 | is running. It also adds a check at the start of the routine to see | ||
21 | if the hub has already been disconnected, in which nothing should be | ||
22 | done. | ||
23 | |||
24 | Fixes CVE-2015-8816. | ||
25 | Upstream-Status: Backport | ||
26 | |||
27 | Signed-off-by: Alan Stern <stern@rowland.harvard.edu> | ||
28 | Reported-by: Alexandru Cornea <alexandru.cornea@intel.com> | ||
29 | Tested-by: Alexandru Cornea <alexandru.cornea@intel.com> | ||
30 | Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work") | ||
31 | CC: <stable@vger.kernel.org> | ||
32 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
33 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
34 | --- | ||
35 | drivers/usb/core/hub.c | 22 +++++++++++++++++++--- | ||
36 | 1 file changed, 19 insertions(+), 3 deletions(-) | ||
37 | |||
38 | diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c | ||
39 | index d68c4a4..ee11b30 100644 | ||
40 | --- a/drivers/usb/core/hub.c | ||
41 | +++ b/drivers/usb/core/hub.c | ||
42 | @@ -1034,10 +1034,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) | ||
43 | unsigned delay; | ||
44 | |||
45 | /* Continue a partial initialization */ | ||
46 | - if (type == HUB_INIT2) | ||
47 | - goto init2; | ||
48 | - if (type == HUB_INIT3) | ||
49 | + if (type == HUB_INIT2 || type == HUB_INIT3) { | ||
50 | + device_lock(hub->intfdev); | ||
51 | + | ||
52 | + /* Was the hub disconnected while we were waiting? */ | ||
53 | + if (hub->disconnected) { | ||
54 | + device_unlock(hub->intfdev); | ||
55 | + kref_put(&hub->kref, hub_release); | ||
56 | + return; | ||
57 | + } | ||
58 | + if (type == HUB_INIT2) | ||
59 | + goto init2; | ||
60 | goto init3; | ||
61 | + } | ||
62 | + kref_get(&hub->kref); | ||
63 | |||
64 | /* The superspeed hub except for root hub has to use Hub Depth | ||
65 | * value as an offset into the route string to locate the bits | ||
66 | @@ -1235,6 +1245,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) | ||
67 | queue_delayed_work(system_power_efficient_wq, | ||
68 | &hub->init_work, | ||
69 | msecs_to_jiffies(delay)); | ||
70 | + device_unlock(hub->intfdev); | ||
71 | return; /* Continues at init3: below */ | ||
72 | } else { | ||
73 | msleep(delay); | ||
74 | @@ -1256,6 +1267,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) | ||
75 | /* Allow autosuspend if it was suppressed */ | ||
76 | if (type <= HUB_INIT3) | ||
77 | usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); | ||
78 | + | ||
79 | + if (type == HUB_INIT2 || type == HUB_INIT3) | ||
80 | + device_unlock(hub->intfdev); | ||
81 | + | ||
82 | + kref_put(&hub->kref, hub_release); | ||
83 | } | ||
84 | |||
85 | /* Implement the continuations for the delays above */ | ||
86 | -- | ||
87 | cgit v0.12 | ||
88 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index f0b6207..8112cdd 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
@@ -33,6 +33,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
33 | file://virtio-net-CVE-2015-5156.patch \ | 33 | file://virtio-net-CVE-2015-5156.patch \ |
34 | file://ipc-CVE-2015-7613.patch \ | 34 | file://ipc-CVE-2015-7613.patch \ |
35 | file://net-unix-CVE-2013-7446.patch \ | 35 | file://net-unix-CVE-2013-7446.patch \ |
36 | file://usb-CVE-2015-8816.patch \ | ||
36 | " | 37 | " |
37 | 38 | ||
38 | S = "${WORKDIR}/git" | 39 | S = "${WORKDIR}/git" |