media: usbvision: fix crash on detecting device with invalid configuration
(CVE-2015-7833, partly fixed in 4.2.6-1) Also update headers of the previous patch to match the commit in media_tree.git.
This commit is contained in:
Ben Hutchings
parent
00e7e4e3ed
commit
22ad2142d1
|
|
@ -8,6 +8,10 @@ linux (4.2.6-2) UNRELEASED; urgency=medium
|
|||
* [x86] Xen: expose a more realistic max p2m size in the shared info, fixes
|
||||
migration (Closes: #797205)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* media: usbvision: fix crash on detecting device with invalid configuration
|
||||
(CVE-2015-7833, partly fixed in 4.2.6-1)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 10 Nov 2015 22:05:58 +0100
|
||||
|
||||
linux (4.2.6-1) unstable; urgency=medium
|
||||
|
|
|
|||
44
debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
vendored
Normal file
44
debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
vendored
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Mon, 16 Nov 2015 15:55:11 -0200
|
||||
Subject: [media] usbvision: fix crash on detecting device with invalid
|
||||
configuration
|
||||
Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=fa52bd506f274b7619955917abfde355e3d19ffe
|
||||
|
||||
The usbvision driver crashes when a specially crafted usb device with invalid
|
||||
number of interfaces or endpoints is detected. This fix adds checks that the
|
||||
device has proper configuration expected by the driver.
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
|
||||
1 file changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/media/usb/usbvision/usbvision-video.c
|
||||
+++ b/drivers/media/usb/usbvision/usbvision-video.c
|
||||
@@ -1542,9 +1542,23 @@ static int usbvision_probe(struct usb_in
|
||||
|
||||
if (usbvision_device_data[model].interface >= 0)
|
||||
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
|
||||
- else
|
||||
+ else if (ifnum < dev->actconfig->desc.bNumInterfaces)
|
||||
interface = &dev->actconfig->interface[ifnum]->altsetting[0];
|
||||
+ else {
|
||||
+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
|
||||
+ ifnum, dev->actconfig->desc.bNumInterfaces - 1);
|
||||
+ ret = -ENODEV;
|
||||
+ goto err_usb;
|
||||
+ }
|
||||
+
|
||||
+ if (interface->desc.bNumEndpoints < 2) {
|
||||
+ dev_err(&intf->dev, "interface %d has %d endpoints, but must"
|
||||
+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
|
||||
+ ret = -ENODEV;
|
||||
+ goto err_usb;
|
||||
+ }
|
||||
endpoint = &interface->endpoint[1].desc;
|
||||
+
|
||||
if (!usb_endpoint_xfer_isoc(endpoint)) {
|
||||
dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
|
||||
__func__, ifnum);
|
||||
|
|
@ -1,14 +1,16 @@
|
|||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Tue, 27 Oct 2015 12:42:38 +0100
|
||||
Subject: usbvision fix overflow of interfaces array
|
||||
Origin: https://bugzilla.novell.com/attachment.cgi?id=653350
|
||||
Date: Tue, 27 Oct 2015 09:51:34 -0200
|
||||
Subject: [media] usbvision fix overflow of interfaces array
|
||||
Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=588afcc1c0e45358159090d95bf7b246fb67565f
|
||||
|
||||
This fixes the crash reported in:
|
||||
http://seclists.org/bugtraq/2015/Oct/35
|
||||
The interface number needs a sanity check.
|
||||
|
||||
Signed-off-by: Oliver Neukum <oneukum@suse.com>
|
||||
[bwh: Backported to 4.2: adjust context]
|
||||
Cc: Vladis Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
|
|
|||
|
|
@ -103,7 +103,6 @@ bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
|
|||
|
||||
debian/target-fix-abi-change-in-4.2.4.patch
|
||||
debian/signal-fix-abi-change-in-4.2.4.patch
|
||||
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
|
||||
bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
|
||||
bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
|
||||
bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
|
||||
|
|
@ -111,3 +110,5 @@ bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
|
|||
bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
|
||||
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
|
||||
bugfix/x86/x86-xen-p2m-hint-at-the-last-populated-P2M-entry.patch
|
||||
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
|
||||
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue