From ac8af89d18d9ea12747354bbb8f34dc04c6613e9 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Thu, 21 Jan 2016 13:14:30 +0100
Subject: usb-whiteheat: CVE-2015-5257

Fixes NULL pointer dereference in USB WhiteHEAT serial.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5257

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=44f73be485f66dfeca7c6a5e334a7a11b97a4151

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../usb-whiteheat-CVE-2015-5257.patch              | 85 ++++++++++++++++++++++
 recipes-kernel/linux/linux-hierofalcon_3.19.bb     |  1 +
 recipes-kernel/linux/linux-hierofalcon_4.1.bb      |  1 +
 3 files changed, 87 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch

diff --git a/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch
new file mode 100644
index 0000000..1fb8ac5
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch
@@ -0,0 +1,85 @@
+From 44f73be485f66dfeca7c6a5e334a7a11b97a4151 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Sep 2015 11:41:42 -0700
+Subject: USB: whiteheat: fix potential null-deref at probe
+
+commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
+
+Fix potential null-pointer dereference at probe by making sure that the
+required endpoints are present.
+
+The whiteheat driver assumes there are at least five pairs of bulk
+endpoints, of which the final pair is used for the "command port". An
+attempt to bind to an interface with fewer bulk endpoints would
+currently lead to an oops.
+
+Fixes CVE-2015-5257.
+Upstream-Status: Backport
+
+Reported-by: Moein Ghasemzadeh <moein@istuary.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+igned-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index 6c3734d..d3ea90b 100644
+--- a/drivers/usb/serial/whiteheat.c
++++ b/drivers/usb/serial/whiteheat.c
+@@ -80,6 +80,8 @@ static int  whiteheat_firmware_download(struct usb_serial *serial,
+ static int  whiteheat_firmware_attach(struct usb_serial *serial);
+ 
+ /* function prototypes for the Connect Tech WhiteHEAT serial converter */
++static int whiteheat_probe(struct usb_serial *serial,
++				const struct usb_device_id *id);
+ static int  whiteheat_attach(struct usb_serial *serial);
+ static void whiteheat_release(struct usb_serial *serial);
+ static int  whiteheat_port_probe(struct usb_serial_port *port);
+@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
+ 	.description =		"Connect Tech - WhiteHEAT",
+ 	.id_table =		id_table_std,
+ 	.num_ports =		4,
++	.probe =		whiteheat_probe,
+ 	.attach =		whiteheat_attach,
+ 	.release =		whiteheat_release,
+ 	.port_probe =		whiteheat_port_probe,
+@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
+ /*****************************************************************************
+  * Connect Tech's White Heat serial driver functions
+  *****************************************************************************/
++
++static int whiteheat_probe(struct usb_serial *serial,
++				const struct usb_device_id *id)
++{
++	struct usb_host_interface *iface_desc;
++	struct usb_endpoint_descriptor *endpoint;
++	size_t num_bulk_in = 0;
++	size_t num_bulk_out = 0;
++	size_t min_num_bulk;
++	unsigned int i;
++
++	iface_desc = serial->interface->cur_altsetting;
++
++	for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
++		endpoint = &iface_desc->endpoint[i].desc;
++		if (usb_endpoint_is_bulk_in(endpoint))
++			++num_bulk_in;
++		if (usb_endpoint_is_bulk_out(endpoint))
++			++num_bulk_out;
++	}
++
++	min_num_bulk = COMMAND_PORT + 1;
++	if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
++		return -ENODEV;
++
++	return 0;
++}
++
+ static int whiteheat_attach(struct usb_serial *serial)
+ {
+ 	struct usb_serial_port *command_port;
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 895a08c..6e44bbc 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
            file://vhost-CVE-2015-6252.patch \
            file://ipv6-CVE-2015-2922.patch \
            file://ipv4-CVE-2015-3636.patch \
+           file://usb-whiteheat-CVE-2015-5257.patch \
            "
 
 S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 6b160d8..7c5c537 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
            file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
            file://md-CVE-2015-5697.patch \
            file://vhost-CVE-2015-6252.patch \
+           file://usb-whiteheat-CVE-2015-5257.patch \
            "
 
 S = "${WORKDIR}/git"
-- 
cgit v1.2.3-54-g00ecf