diff options
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch | 85 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 |
3 files changed, 87 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch new file mode 100644 index 0000000..1fb8ac5 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From 44f73be485f66dfeca7c6a5e334a7a11b97a4151 Mon Sep 17 00:00:00 2001 | ||
2 | From: Johan Hovold <johan@kernel.org> | ||
3 | Date: Wed, 23 Sep 2015 11:41:42 -0700 | ||
4 | Subject: USB: whiteheat: fix potential null-deref at probe | ||
5 | |||
6 | commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream. | ||
7 | |||
8 | Fix potential null-pointer dereference at probe by making sure that the | ||
9 | required endpoints are present. | ||
10 | |||
11 | The whiteheat driver assumes there are at least five pairs of bulk | ||
12 | endpoints, of which the final pair is used for the "command port". An | ||
13 | attempt to bind to an interface with fewer bulk endpoints would | ||
14 | currently lead to an oops. | ||
15 | |||
16 | Fixes CVE-2015-5257. | ||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Reported-by: Moein Ghasemzadeh <moein@istuary.com> | ||
20 | Signed-off-by: Johan Hovold <johan@kernel.org> | ||
21 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
22 | igned-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++ | ||
25 | 1 file changed, 31 insertions(+) | ||
26 | |||
27 | diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c | ||
28 | index 6c3734d..d3ea90b 100644 | ||
29 | --- a/drivers/usb/serial/whiteheat.c | ||
30 | +++ b/drivers/usb/serial/whiteheat.c | ||
31 | @@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial, | ||
32 | static int whiteheat_firmware_attach(struct usb_serial *serial); | ||
33 | |||
34 | /* function prototypes for the Connect Tech WhiteHEAT serial converter */ | ||
35 | +static int whiteheat_probe(struct usb_serial *serial, | ||
36 | + const struct usb_device_id *id); | ||
37 | static int whiteheat_attach(struct usb_serial *serial); | ||
38 | static void whiteheat_release(struct usb_serial *serial); | ||
39 | static int whiteheat_port_probe(struct usb_serial_port *port); | ||
40 | @@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = { | ||
41 | .description = "Connect Tech - WhiteHEAT", | ||
42 | .id_table = id_table_std, | ||
43 | .num_ports = 4, | ||
44 | + .probe = whiteheat_probe, | ||
45 | .attach = whiteheat_attach, | ||
46 | .release = whiteheat_release, | ||
47 | .port_probe = whiteheat_port_probe, | ||
48 | @@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial) | ||
49 | /***************************************************************************** | ||
50 | * Connect Tech's White Heat serial driver functions | ||
51 | *****************************************************************************/ | ||
52 | + | ||
53 | +static int whiteheat_probe(struct usb_serial *serial, | ||
54 | + const struct usb_device_id *id) | ||
55 | +{ | ||
56 | + struct usb_host_interface *iface_desc; | ||
57 | + struct usb_endpoint_descriptor *endpoint; | ||
58 | + size_t num_bulk_in = 0; | ||
59 | + size_t num_bulk_out = 0; | ||
60 | + size_t min_num_bulk; | ||
61 | + unsigned int i; | ||
62 | + | ||
63 | + iface_desc = serial->interface->cur_altsetting; | ||
64 | + | ||
65 | + for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { | ||
66 | + endpoint = &iface_desc->endpoint[i].desc; | ||
67 | + if (usb_endpoint_is_bulk_in(endpoint)) | ||
68 | + ++num_bulk_in; | ||
69 | + if (usb_endpoint_is_bulk_out(endpoint)) | ||
70 | + ++num_bulk_out; | ||
71 | + } | ||
72 | + | ||
73 | + min_num_bulk = COMMAND_PORT + 1; | ||
74 | + if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk) | ||
75 | + return -ENODEV; | ||
76 | + | ||
77 | + return 0; | ||
78 | +} | ||
79 | + | ||
80 | static int whiteheat_attach(struct usb_serial *serial) | ||
81 | { | ||
82 | struct usb_serial_port *command_port; | ||
83 | -- | ||
84 | cgit v0.12 | ||
85 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 895a08c..6e44bbc 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb | |||
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 | |||
27 | file://vhost-CVE-2015-6252.patch \ | 27 | file://vhost-CVE-2015-6252.patch \ |
28 | file://ipv6-CVE-2015-2922.patch \ | 28 | file://ipv6-CVE-2015-2922.patch \ |
29 | file://ipv4-CVE-2015-3636.patch \ | 29 | file://ipv4-CVE-2015-3636.patch \ |
30 | file://usb-whiteheat-CVE-2015-5257.patch \ | ||
30 | " | 31 | " |
31 | 32 | ||
32 | S = "${WORKDIR}/git" | 33 | S = "${WORKDIR}/git" |
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 6b160d8..7c5c537 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
@@ -26,6 +26,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
26 | file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ | 26 | file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ |
27 | file://md-CVE-2015-5697.patch \ | 27 | file://md-CVE-2015-5697.patch \ |
28 | file://vhost-CVE-2015-6252.patch \ | 28 | file://vhost-CVE-2015-6252.patch \ |
29 | file://usb-whiteheat-CVE-2015-5257.patch \ | ||
29 | " | 30 | " |
30 | 31 | ||
31 | S = "${WORKDIR}/git" | 32 | S = "${WORKDIR}/git" |