Add some security fixes
This commit is contained in:
Ben Hutchings
parent
19216c6aaa
commit
18e70e2c53
|
|
@ -12,6 +12,9 @@ linux (4.3.3-6) UNRELEASED; urgency=medium
|
|||
* linux-image-dbg: Include debugging symbols for VDSOs
|
||||
* [armel/kirkwood] power/reset: Re-enable POWER_RESET, POWER_RESET_GPIO
|
||||
(regression in 3.17~rc5-1~exp1)
|
||||
* usb: serial: visor: fix crash on detecting device without write_urbs
|
||||
(CVE-2015-7566)
|
||||
* tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 08 Jan 2016 12:08:13 +0000
|
||||
|
||||
|
|
|
|||
63
debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
vendored
Normal file
63
debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
vendored
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
From: Peter Hurley <peter@hurleysoftware.com>
|
||||
Subject: tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
|
||||
Date: Sun, 10 Jan 2016 22:40:55 -0800
|
||||
Origin: http://article.gmane.org/gmane.linux.kernel/2123249
|
||||
|
||||
ioctl(TIOCGETD) retrieves the line discipline id directly from the
|
||||
ldisc because the line discipline id (c_line) in termios is untrustworthy;
|
||||
userspace may have set termios via ioctl(TCSETS*) without actually
|
||||
changing the line discipline via ioctl(TIOCSETD).
|
||||
|
||||
However, directly accessing the current ldisc via tty->ldisc is
|
||||
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
|
||||
is changing via ioctl(TIOCSETD) or hangup.
|
||||
|
||||
Wait for the line discipline reference (just like read() or write())
|
||||
to retrieve the "current" line discipline id.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|
||||
---
|
||||
drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/tty/tty_io.c
|
||||
+++ b/drivers/tty/tty_io.c
|
||||
@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *t
|
||||
}
|
||||
|
||||
/**
|
||||
+ * tiocgetd - get line discipline
|
||||
+ * @tty: tty device
|
||||
+ * @p: pointer to user data
|
||||
+ *
|
||||
+ * Retrieves the line discipline id directly from the ldisc.
|
||||
+ *
|
||||
+ * Locking: waits for ldisc reference (in case the line discipline
|
||||
+ * is changing or the tty is being hungup)
|
||||
+ */
|
||||
+
|
||||
+static int tiocgetd(struct tty_struct *tty, int __user *p)
|
||||
+{
|
||||
+ struct tty_ldisc *ld;
|
||||
+ int ret;
|
||||
+
|
||||
+ ld = tty_ldisc_ref_wait(tty);
|
||||
+ ret = put_user(ld->ops->num, p);
|
||||
+ tty_ldisc_deref(ld);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
* send_break - performed time break
|
||||
* @tty: device to break on
|
||||
* @duration: timeout in mS
|
||||
@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsign
|
||||
case TIOCGSID:
|
||||
return tiocgsid(tty, real_tty, p);
|
||||
case TIOCGETD:
|
||||
- return put_user(tty->ldisc->ops->num, (int __user *)p);
|
||||
+ return tiocgetd(tty, p);
|
||||
case TIOCSETD:
|
||||
return tiocsetd(tty, p);
|
||||
case TIOCVHANGUP:
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Subject: usb: serial: visor: fix crash on detecting device without write_urbs
|
||||
Date: Tue, 12 Jan 2016 15:10:50 +0100
|
||||
Origin: http://article.gmane.org/gmane.linux.usb.general/136045
|
||||
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1296466
|
||||
|
||||
The visor driver crashes in clie_5_attach() when a specially crafted USB
|
||||
device without bulk-out endpoint is detected. This fix adds a check that
|
||||
the device has proper configuration expected by the driver.
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
drivers/usb/serial/visor.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/drivers/usb/serial/visor.c
|
||||
+++ b/drivers/usb/serial/visor.c
|
||||
@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_seri
|
||||
*/
|
||||
|
||||
/* some sanity check */
|
||||
- if (serial->num_ports < 2)
|
||||
- return -1;
|
||||
+ if (serial->num_bulk_out < 2) {
|
||||
+ dev_err(&serial->interface->dev, "missing bulk out endpoints\n");
|
||||
+ return -ENODEV;
|
||||
+ }
|
||||
|
||||
/* port 0 now uses the modified endpoint Address */
|
||||
port = serial->port[0];
|
||||
|
|
@ -134,3 +134,5 @@ bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
|
|||
bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch
|
||||
bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
|
||||
bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch
|
||||
bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
|
||||
bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue