diff --git a/USB-whiteheat-fix-potential-null-deref-at-probe.patch b/USB-whiteheat-fix-potential-null-deref-at-probe.patch new file mode 100644 index 0000000..00fd557 --- /dev/null +++ b/USB-whiteheat-fix-potential-null-deref-at-probe.patch @@ -0,0 +1,81 @@ +From 10d98bced414c6fc1d09db123e7f762d91b5ebea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 23 Sep 2015 11:41:42 -0700 +Subject: [PATCH] USB: whiteheat: fix potential null-deref at probe + +Fix potential null-pointer dereference at probe by making sure that the +required endpoints are present. + +The whiteheat driver assumes there are at least five pairs of bulk +endpoints, of which the final pair is used for the "command port". An +attempt to bind to an interface with fewer bulk endpoints would +currently lead to an oops. + +Fixes CVE-2015-5257. + +Reported-by: Moein Ghasemzadeh +Cc: stable +Signed-off-by: Johan Hovold +--- + drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c +index 6c3734d2b45a..d3ea90bef84d 100644 +--- a/drivers/usb/serial/whiteheat.c ++++ b/drivers/usb/serial/whiteheat.c +@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial, + static int whiteheat_firmware_attach(struct usb_serial *serial); + + /* function prototypes for the Connect Tech WhiteHEAT serial converter */ ++static int whiteheat_probe(struct usb_serial *serial, ++ const struct usb_device_id *id); + static int whiteheat_attach(struct usb_serial *serial); + static void whiteheat_release(struct usb_serial *serial); + static int whiteheat_port_probe(struct usb_serial_port *port); +@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = { + .description = "Connect Tech - WhiteHEAT", + .id_table = id_table_std, + .num_ports = 4, ++ .probe = whiteheat_probe, + .attach = whiteheat_attach, + .release = whiteheat_release, + .port_probe = whiteheat_port_probe, +@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial) + /***************************************************************************** + * Connect Tech's White Heat serial driver functions + *****************************************************************************/ ++ ++static int whiteheat_probe(struct usb_serial *serial, ++ const struct usb_device_id *id) ++{ ++ struct usb_host_interface *iface_desc; ++ struct usb_endpoint_descriptor *endpoint; ++ size_t num_bulk_in = 0; ++ size_t num_bulk_out = 0; ++ size_t min_num_bulk; ++ unsigned int i; ++ ++ iface_desc = serial->interface->cur_altsetting; ++ ++ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { ++ endpoint = &iface_desc->endpoint[i].desc; ++ if (usb_endpoint_is_bulk_in(endpoint)) ++ ++num_bulk_in; ++ if (usb_endpoint_is_bulk_out(endpoint)) ++ ++num_bulk_out; ++ } ++ ++ min_num_bulk = COMMAND_PORT + 1; ++ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk) ++ return -ENODEV; ++ ++ return 0; ++} ++ + static int whiteheat_attach(struct usb_serial *serial) + { + struct usb_serial_port *command_port; +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 1c27d91..13d6bfa 100644 --- a/kernel.spec +++ b/kernel.spec @@ -653,6 +653,9 @@ Patch523: RDS-verify-the-underlying-transport-exists-before-cr.patch #rhbz 1263762 Patch526: 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch +#CVE-2015-5257 rhbz 1265607 1265612 +Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch + # END OF PATCH DEFINITIONS %endif @@ -1424,6 +1427,9 @@ ApplyPatch RDS-verify-the-underlying-transport-exists-before-cr.patch #rhbz 1263762 ApplyPatch 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch +#CVE-2015-5257 rhbz 1265607 1265612 +ApplyPatch USB-whiteheat-fix-potential-null-deref-at-probe.patch + # END OF PATCH APPLICATIONS %endif @@ -2274,6 +2280,9 @@ fi # # %changelog +* Thu Sep 24 2015 Josh Boyer +- CVE-2015-5257 Null ptr deref in usb whiteheat driver (rhbz 1265607 1265612) + * Mon Sep 21 2015 Josh Boyer - 4.1.8-200 - Linux v4.1.8