diff --git a/debian/changelog b/debian/changelog index 3d0170208..a52a79bef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,6 +25,7 @@ linux (4.2.1-1) UNRELEASED; urgency=medium upstream commit 4e93b9a6abc0 ("mmc: card: Don't access RPMB partitions for normal read/write") looks like a cleaner solution * mm: Change ZBUD back to built-in, as it's not really useful as a module + * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257) [ Aurelien Jarno ] * [mips*el] Fix BPF assembly code for pre-R2 CPUs. (fixes FTBFS) diff --git a/debian/patches/bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch new file mode 100644 index 000000000..43809584a --- /dev/null +++ b/debian/patches/bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch @@ -0,0 +1,79 @@ +From: Johan Hovold +Date: Wed, 23 Sep 2015 11:41:42 -0700 +Subject: USB: whiteheat: fix potential null-deref at probe +Origin: https://git.kernel.org/cgit/linux/kernel/git/gregkh/usb.git/commit?id=cbb4be652d374f64661137756b8f357a1827d6a4 + +Fix potential null-pointer dereference at probe by making sure that the +required endpoints are present. + +The whiteheat driver assumes there are at least five pairs of bulk +endpoints, of which the final pair is used for the "command port". An +attempt to bind to an interface with fewer bulk endpoints would +currently lead to an oops. + +Fixes CVE-2015-5257. + +Reported-by: Moein Ghasemzadeh +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c +index 6c3734d..d3ea90b 100644 +--- a/drivers/usb/serial/whiteheat.c ++++ b/drivers/usb/serial/whiteheat.c +@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial, + static int whiteheat_firmware_attach(struct usb_serial *serial); + + /* function prototypes for the Connect Tech WhiteHEAT serial converter */ ++static int whiteheat_probe(struct usb_serial *serial, ++ const struct usb_device_id *id); + static int whiteheat_attach(struct usb_serial *serial); + static void whiteheat_release(struct usb_serial *serial); + static int whiteheat_port_probe(struct usb_serial_port *port); +@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = { + .description = "Connect Tech - WhiteHEAT", + .id_table = id_table_std, + .num_ports = 4, ++ .probe = whiteheat_probe, + .attach = whiteheat_attach, + .release = whiteheat_release, + .port_probe = whiteheat_port_probe, +@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial) + /***************************************************************************** + * Connect Tech's White Heat serial driver functions + *****************************************************************************/ ++ ++static int whiteheat_probe(struct usb_serial *serial, ++ const struct usb_device_id *id) ++{ ++ struct usb_host_interface *iface_desc; ++ struct usb_endpoint_descriptor *endpoint; ++ size_t num_bulk_in = 0; ++ size_t num_bulk_out = 0; ++ size_t min_num_bulk; ++ unsigned int i; ++ ++ iface_desc = serial->interface->cur_altsetting; ++ ++ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { ++ endpoint = &iface_desc->endpoint[i].desc; ++ if (usb_endpoint_is_bulk_in(endpoint)) ++ ++num_bulk_in; ++ if (usb_endpoint_is_bulk_out(endpoint)) ++ ++num_bulk_out; ++ } ++ ++ min_num_bulk = COMMAND_PORT + 1; ++ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk) ++ return -ENODEV; ++ ++ return 0; ++} ++ + static int whiteheat_attach(struct usb_serial *serial) + { + struct usb_serial_port *command_port; diff --git a/debian/patches/series b/debian/patches/series index 7fc75221f..d65aad0fc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -95,3 +95,4 @@ bugfix/all/dcache-reduce-the-scope-of-i_lock-in-d_splice_alias.patch bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch bugfix/all/e1000e-fix-tight-loop-implementation-of-systime-read.patch +bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch