From 376f91eebee2f0fff26a88e622c0796ad775fb41 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mar 18 2016 14:37:31 +0000
Subject: CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)


---

diff --git a/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch b/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
new file mode 100644
index 0000000..7df3af2
--- /dev/null
+++ b/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
@@ -0,0 +1,40 @@
+From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 10:38:31 -0400
+Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors
+
+The iowarrior driver expects at least one valid endpoint.  If given
+malicious descriptors that specify 0 for the number of endpoints,
+it will crash in the probe function.  Ensure there is at least
+one endpoint on the interface before using it.
+
+The full report of this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/87
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/usb/misc/iowarrior.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index c6bfd13f6c92..1950e87b4219 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
+ 	iface_desc = interface->cur_altsetting;
+ 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ 
++	if (iface_desc->desc.bNumEndpoints < 1) {
++		dev_err(&interface->dev, "Invalid number of endpoints\n");
++		retval = -EINVAL;
++		goto error;
++	}
++
+ 	/* set up the endpoint information */
+ 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ 		endpoint = &iface_desc->endpoint[i].desc;
+-- 
+2.5.0
+
diff --git a/kernel.spec b/kernel.spec
index 8658c13..c872f2f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -640,6 +640,9 @@ Patch672: cypress_m8-add-sanity-checking.patch
 #CVE-2016-2186 rhbz 1317015 1317464
 Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
 
+#CVE-2016-2188 rhbz 1317018 1317467
+Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
+
 # END OF PATCH DEFINITIONS
 %endif
 
@@ -2084,6 +2087,7 @@ fi
 # 
 %changelog
 * Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
 - CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
 - CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
 - CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)