usb-whiteheat: CVE-2015-5257

Fixes NULL pointer dereference in USB WhiteHEAT serial. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5257 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=44f73be485f66dfeca7c6a5e334a7a11b97a4151 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-01-21 13:14:30 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2016-01-22 03:17:45 +0100
commit: ac8af89d18d9ea12747354bbb8f34dc04c6613e9 (patch)
tree: c3328fce267c7dbf2d399c74bf8616f1bc0ba602 /recipes-kernel
parent: a7516bc90a45e8f16f9a83e0abbb420447150984 (diff)
download: meta-hierofalcon-ac8af89d18d9ea12747354bbb8f34dc04c6613e9.tar.gz
3 files changed, 87 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch
new file mode 100644
index 0000000..1fb8ac5
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch
@@ -0,0 +1,85 @@
+From 44f73be485f66dfeca7c6a5e334a7a11b97a4151 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Sep 2015 11:41:42 -0700
+Subject: USB: whiteheat: fix potential null-deref at probe
+commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
+Fix potential null-pointer dereference at probe by making sure that the
+required endpoints are present.
+The whiteheat driver assumes there are at least five pairs of bulk
+endpoints, of which the final pair is used for the "command port". An
+attempt to bind to an interface with fewer bulk endpoints would
+currently lead to an oops.
+Fixes CVE-2015-5257.
+Upstream-Status: Backport
+Reported-by: Moein Ghasemzadeh <moein@istuary.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+igned-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index 6c3734d..d3ea90b 100644
+--- a/drivers/usb/serial/whiteheat.c
+++ b/drivers/usb/serial/whiteheat.c
+@@ -80,6 +80,8 @@ static int  whiteheat_firmware_download(struct usb_serial *serial,
+ static int  whiteheat_firmware_attach(struct usb_serial *serial);
+ 
+ /* function prototypes for the Connect Tech WhiteHEAT serial converter */
+static int whiteheat_probe(struct usb_serial *serial,
+                               const struct usb_device_id *id);
+ static int  whiteheat_attach(struct usb_serial *serial);
+ static void whiteheat_release(struct usb_serial *serial);
+ static int  whiteheat_port_probe(struct usb_serial_port *port);
+@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
+        .description =          "Connect Tech - WhiteHEAT",
+        .id_table =             id_table_std,
+        .num_ports =            4,
+       .probe =                whiteheat_probe,
+        .attach =               whiteheat_attach,
+        .release =              whiteheat_release,
+        .port_probe =           whiteheat_port_probe,
+@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
+ /*****************************************************************************
+  * Connect Tech's White Heat serial driver functions
+  *****************************************************************************/
+
+static int whiteheat_probe(struct usb_serial *serial,
+                               const struct usb_device_id *id)
+{
+       struct usb_host_interface *iface_desc;
+       struct usb_endpoint_descriptor *endpoint;
+       size_t num_bulk_in = 0;
+       size_t num_bulk_out = 0;
+       size_t min_num_bulk;
+       unsigned int i;
+
+       iface_desc = serial->interface->cur_altsetting;
+
+       for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
+               endpoint = &iface_desc->endpoint[i].desc;
+               if (usb_endpoint_is_bulk_in(endpoint))
+                       ++num_bulk_in;
+               if (usb_endpoint_is_bulk_out(endpoint))
+                       ++num_bulk_out;
+       }
+
+       min_num_bulk = COMMAND_PORT + 1;
+       if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
+               return -ENODEV;
+
+       return 0;
+}
+
+ static int whiteheat_attach(struct usb_serial *serial)
+ {
+        struct usb_serial_port *command_port;
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 895a08c..6e44bbc 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
           file://vhost-CVE-2015-6252.patch \
           file://ipv6-CVE-2015-2922.patch \
           file://ipv4-CVE-2015-3636.patch \
+           file://usb-whiteheat-CVE-2015-5257.patch \
           "
 S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 6b160d8..7c5c537 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
           file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
           file://md-CVE-2015-5697.patch \
           file://vhost-CVE-2015-6252.patch \
+           file://usb-whiteheat-CVE-2015-5257.patch \
           "
 S = "${WORKDIR}/git"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-01-21 13:14:30 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2016-01-22 03:17:45 +0100
commit	ac8af89d18d9ea12747354bbb8f34dc04c6613e9 (patch)
tree	c3328fce267c7dbf2d399c74bf8616f1bc0ba602 /recipes-kernel
parent	a7516bc90a45e8f16f9a83e0abbb420447150984 (diff)
download	meta-hierofalcon-ac8af89d18d9ea12747354bbb8f34dc04c6613e9.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch new file mode 100644 index 0000000..1fb8ac5 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/usb-whiteheat-CVE-2015-5257.patch
@@ -0,0 +1,85 @@
		1	From 44f73be485f66dfeca7c6a5e334a7a11b97a4151 Mon Sep 17 00:00:00 2001
		2	From: Johan Hovold <johan@kernel.org>
		3	Date: Wed, 23 Sep 2015 11:41:42 -0700
		4	Subject: USB: whiteheat: fix potential null-deref at probe
		5
		6	commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
		7
		8	Fix potential null-pointer dereference at probe by making sure that the
		9	required endpoints are present.
		10
		11	The whiteheat driver assumes there are at least five pairs of bulk
		12	endpoints, of which the final pair is used for the "command port". An
		13	attempt to bind to an interface with fewer bulk endpoints would
		14	currently lead to an oops.
		15
		16	Fixes CVE-2015-5257.
		17	Upstream-Status: Backport
		18
		19	Reported-by: Moein Ghasemzadeh <moein@istuary.com>
		20	Signed-off-by: Johan Hovold <johan@kernel.org>
		21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		22	igned-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	drivers/usb/serial/whiteheat.c \| 31 +++++++++++++++++++++++++++++++
		25	1 file changed, 31 insertions(+)
		26
		27	diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
		28	index 6c3734d..d3ea90b 100644
		29	--- a/drivers/usb/serial/whiteheat.c
		30	+++ b/drivers/usb/serial/whiteheat.c
		31	@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
		32	static int whiteheat_firmware_attach(struct usb_serial *serial);
		33
		34	/* function prototypes for the Connect Tech WhiteHEAT serial converter */
		35	+static int whiteheat_probe(struct usb_serial *serial,
		36	+ const struct usb_device_id *id);
		37	static int whiteheat_attach(struct usb_serial *serial);
		38	static void whiteheat_release(struct usb_serial *serial);
		39	static int whiteheat_port_probe(struct usb_serial_port *port);
		40	@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
		41	.description = "Connect Tech - WhiteHEAT",
		42	.id_table = id_table_std,
		43	.num_ports = 4,
		44	+ .probe = whiteheat_probe,
		45	.attach = whiteheat_attach,
		46	.release = whiteheat_release,
		47	.port_probe = whiteheat_port_probe,
		48	@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
		49	/*****************************************************************************
		50	* Connect Tech's White Heat serial driver functions
		51	*****************************************************************************/
		52	+
		53	+static int whiteheat_probe(struct usb_serial *serial,
		54	+ const struct usb_device_id *id)
		55	+{
		56	+ struct usb_host_interface *iface_desc;
		57	+ struct usb_endpoint_descriptor *endpoint;
		58	+ size_t num_bulk_in = 0;
		59	+ size_t num_bulk_out = 0;
		60	+ size_t min_num_bulk;
		61	+ unsigned int i;
		62	+
		63	+ iface_desc = serial->interface->cur_altsetting;
		64	+
		65	+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
		66	+ endpoint = &iface_desc->endpoint[i].desc;
		67	+ if (usb_endpoint_is_bulk_in(endpoint))
		68	+ ++num_bulk_in;
		69	+ if (usb_endpoint_is_bulk_out(endpoint))
		70	+ ++num_bulk_out;
		71	+ }
		72	+
		73	+ min_num_bulk = COMMAND_PORT + 1;
		74	+ if (num_bulk_in < min_num_bulk \|\| num_bulk_out < min_num_bulk)
		75	+ return -ENODEV;
		76	+
		77	+ return 0;
		78	+}
		79	+
		80	static int whiteheat_attach(struct usb_serial *serial)
		81	{
		82	struct usb_serial_port *command_port;
		83	--
		84	cgit v0.12
		85


diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 895a08c..6e44bbc 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
27	file://vhost-CVE-2015-6252.patch \	27	file://vhost-CVE-2015-6252.patch \
28	file://ipv6-CVE-2015-2922.patch \	28	file://ipv6-CVE-2015-2922.patch \
29	file://ipv4-CVE-2015-3636.patch \	29	file://ipv4-CVE-2015-3636.patch \
		30	file://usb-whiteheat-CVE-2015-5257.patch \
30	"	31	"
31		32
32	S = "${WORKDIR}/git"	33	S = "${WORKDIR}/git"


diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 6b160d8..7c5c537 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
26	file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \	26	file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
27	file://md-CVE-2015-5697.patch \	27	file://md-CVE-2015-5697.patch \
28	file://vhost-CVE-2015-6252.patch \	28	file://vhost-CVE-2015-6252.patch \
		29	file://usb-whiteheat-CVE-2015-5257.patch \
29	"	30	"
30		31
31	S = "${WORKDIR}/git"	32	S = "${WORKDIR}/git"