From c08c3b8b2500abcde482e9736360ca49a348646c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 17:40:00 +0000 Subject: [PATCH] usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) --- debian/changelog | 1 + ...usbtest-fix-NULL-pointer-dereference.patch | 39 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 41 insertions(+) create mode 100644 debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch diff --git a/debian/changelog b/debian/changelog index ba70dfba7..c303b84c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -124,6 +124,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * swap: Avoid ABI change in 4.13.12 * mac80211: use constant time comparison with keys * mac80211: don't compare TKIP TX MIC key in reinstall prevention + * usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch b/debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch new file mode 100644 index 000000000..ac4735064 --- /dev/null +++ b/debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch @@ -0,0 +1,39 @@ +From: Alan Stern +Date: Fri, 29 Sep 2017 10:54:24 -0400 +Subject: usb: usbtest: fix NULL pointer dereference +Origin: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16532 + +If the usbtest driver encounters a device with an IN bulk endpoint but +no OUT bulk endpoint, it will try to dereference a NULL pointer +(out->desc.bEndpointAddress). The problem can be solved by adding a +missing test. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Felipe Balbi +--- + drivers/usb/misc/usbtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c +index 113e38bfe0ef..b3fc602b2e24 100644 +--- a/drivers/usb/misc/usbtest.c ++++ b/drivers/usb/misc/usbtest.c +@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf) + return tmp; + } + +- if (in) { ++ if (in) + dev->in_pipe = usb_rcvbulkpipe(udev, + in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); ++ if (out) + dev->out_pipe = usb_sndbulkpipe(udev, + out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); +- } ++ + if (iso_in) { + dev->iso_in = &iso_in->desc; + dev->in_iso_pipe = usb_rcvisocpipe(udev, diff --git a/debian/patches/series b/debian/patches/series index 90a6f7df5..c6a86a389 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -117,6 +117,7 @@ bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch +bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch