From 70aa4d626d8178e9bea47e9e06ee3d7d22d8ca25 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mar 22 2016 18:21:31 +0000
Subject: CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)


---

diff --git a/input-gtco-fix-crash-on-detecting-device-without-end.patch b/input-gtco-fix-crash-on-detecting-device-without-end.patch
new file mode 100644
index 0000000..849f607
--- /dev/null
+++ b/input-gtco-fix-crash-on-detecting-device-without-end.patch
@@ -0,0 +1,49 @@
+Subject:    [PATCH] Input: gtco: fix crash on detecting device without endpoints
+From:       Vladis Dronov <vdronov@redhat.com>
+Date:       2016-03-18 18:35:00
+
+The gtco driver expects at least one valid endpoint. If given
+malicious descriptors that specify 0 for the number of endpoints,
+it will crash in the probe function. Ensure there is at least
+one endpoint on the interface before using it. Fix minor coding
+style issue.
+
+The full report of this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/86
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 3a7f3a4..7c18249 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 		goto err_free_buf;
+ 	}
+ 
++	/* Sanity check that a device has an endpoint */
++	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++		dev_err(&usbinterface->dev,
++			"Invalid number of endpoints\n");
++		error = -EINVAL;
++		goto err_free_urb;
++	}
++
+ 	/*
+ 	 * The endpoint is always altsetting 0, we know this since we know
+ 	 * this device only has one interrupt endpoint
+@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 	 * HID report descriptor
+ 	 */
+ 	if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+-				     HID_DEVICE_TYPE, &hid_desc) != 0){
++				     HID_DEVICE_TYPE, &hid_desc) != 0) {
+ 		dev_err(&usbinterface->dev,
+ 			"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ 		error = -EIO;
+-- 
+2.5.0
diff --git a/kernel.spec b/kernel.spec
index 6dd638b..2a9c307 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -669,6 +669,9 @@ Patch680: thermal-fix.patch
 #rhbz 1318079
 Patch681: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
 
+#CVE-2016-2187 rhbz 1317017 1317010
+Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
+
 # END OF PATCH DEFINITIONS
 %endif
 
@@ -1401,6 +1404,9 @@ ApplyPatch thermal-fix.patch
 #rhbz 1318079
 ApplyPatch 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
 
+#CVE-2016-2187 rhbz 1317017 1317010
+ApplyPatch input-gtco-fix-crash-on-detecting-device-without-end.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2250,6 +2256,9 @@ fi
 #
 # 
 %changelog
+* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
+
 * Mon Mar 21 2016 Laura Abbott <labbott@fedoraproject.org>
 - uas: Limit qdepth at the scsi-host level (rhbz 1315013)
 - Fix for performance regression caused by thermal (rhbz 1317190)