diff --git a/debian/changelog b/debian/changelog index 6e2023681..ced3c696c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -136,6 +136,8 @@ linux (4.5.2-1) UNRELEASED; urgency=medium closes: #822364) * [armhf] Disable FB_OMAP2; it is redundant and conflicting with DRM_OMAP * [armhf] mm: Enable CMA, DMA_CMA + * Input: gtco - fix crash on detecting device without endpoints + (CVE-2016-2187) [ Aurelien Jarno ] * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions. diff --git a/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch new file mode 100644 index 000000000..8908aff65 --- /dev/null +++ b/debian/patches/bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch @@ -0,0 +1,53 @@ +From: Vladis Dronov +Date: Thu, 31 Mar 2016 10:53:42 -0700 +Subject: Input: gtco - fix crash on detecting device without endpoints +Origin: https://git.kernel.org/linus/162f98dea487206d9ab79fc12ed64700667a894d + +The gtco driver expects at least one valid endpoint. If given malicious +descriptors that specify 0 for the number of endpoints, it will crash in +the probe function. Ensure there is at least one endpoint on the interface +before using it. + +Also let's fix a minor coding style issue. + +The full correct report of this issue can be found in the public +Red Hat Bugzilla: + +https://bugzilla.redhat.com/show_bug.cgi?id=1283385 + +Reported-by: Ralf Spenneberg +Signed-off-by: Vladis Dronov +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +--- + drivers/input/tablet/gtco.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 3a7f3a4a4396..7c18249d6c8e 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; diff --git a/debian/patches/series b/debian/patches/series index cf42d3ac3..4d0e35cd2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -133,6 +133,7 @@ bugfix/x86/x86-xen-suppress-hugetlbfs-in-PV-guests.patch bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch # Tools bug fixes +bugfix/all/input-gtco-fix-crash-on-detecting-device-without-end.patch bugfix/all/usbip-document-tcp-wrappers.patch bugfix/all/kbuild-fix-recordmcount-dependency.patch bugfix/all/usbip-include-uninstalled-linux-usbip-h.patch