diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2015-11-24 17:02:27 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2015-11-24 17:09:48 +0000 |
commit | 22ad2142d199960cdc06541c54f9718f0fdc0580 (patch) | |
tree | be77a03e98d634998883c21e07fda535d2eac6e5 | |
parent | 00e7e4e3eda37508dd854de137d0ae5803977da1 (diff) | |
download | kernel_replicant_linux-22ad2142d199960cdc06541c54f9718f0fdc0580.tar.gz kernel_replicant_linux-22ad2142d199960cdc06541c54f9718f0fdc0580.tar.bz2 kernel_replicant_linux-22ad2142d199960cdc06541c54f9718f0fdc0580.zip |
media: usbvision: fix crash on detecting device with invalid configuration
(CVE-2015-7833, partly fixed in 4.2.6-1)
Also update headers of the previous patch to match the commit in
media_tree.git.
-rw-r--r-- | debian/changelog | 4 | ||||
-rw-r--r-- | debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch | 44 | ||||
-rw-r--r-- | debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch | 10 | ||||
-rw-r--r-- | debian/patches/series | 3 |
4 files changed, 56 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog index 3437c82d696d..362baff7a42f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,10 @@ linux (4.2.6-2) UNRELEASED; urgency=medium * [x86] Xen: expose a more realistic max p2m size in the shared info, fixes migration (Closes: #797205) + [ Ben Hutchings ] + * media: usbvision: fix crash on detecting device with invalid configuration + (CVE-2015-7833, partly fixed in 4.2.6-1) + -- Salvatore Bonaccorso <carnil@debian.org> Tue, 10 Nov 2015 22:05:58 +0100 linux (4.2.6-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch new file mode 100644 index 000000000000..ee4365b9fdec --- /dev/null +++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch @@ -0,0 +1,44 @@ +From: Vladis Dronov <vdronov@redhat.com> +Date: Mon, 16 Nov 2015 15:55:11 -0200 +Subject: [media] usbvision: fix crash on detecting device with invalid + configuration +Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=fa52bd506f274b7619955917abfde355e3d19ffe + +The usbvision driver crashes when a specially crafted usb device with invalid +number of interfaces or endpoints is detected. This fix adds checks that the +device has proper configuration expected by the driver. + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +--- + drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1542,9 +1542,23 @@ static int usbvision_probe(struct usb_in + + if (usbvision_device_data[model].interface >= 0) + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; +- else ++ else if (ifnum < dev->actconfig->desc.bNumInterfaces) + interface = &dev->actconfig->interface[ifnum]->altsetting[0]; ++ else { ++ dev_err(&intf->dev, "interface %d is invalid, max is %d\n", ++ ifnum, dev->actconfig->desc.bNumInterfaces - 1); ++ ret = -ENODEV; ++ goto err_usb; ++ } ++ ++ if (interface->desc.bNumEndpoints < 2) { ++ dev_err(&intf->dev, "interface %d has %d endpoints, but must" ++ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints); ++ ret = -ENODEV; ++ goto err_usb; ++ } + endpoint = &interface->endpoint[1].desc; ++ + if (!usb_endpoint_xfer_isoc(endpoint)) { + dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n", + __func__, ifnum); diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch index 839aa68553d8..90d2bd9d8b36 100644 --- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch +++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch @@ -1,14 +1,16 @@ From: Oliver Neukum <oneukum@suse.com> -Date: Tue, 27 Oct 2015 12:42:38 +0100 -Subject: usbvision fix overflow of interfaces array -Origin: https://bugzilla.novell.com/attachment.cgi?id=653350 +Date: Tue, 27 Oct 2015 09:51:34 -0200 +Subject: [media] usbvision fix overflow of interfaces array +Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=588afcc1c0e45358159090d95bf7b246fb67565f This fixes the crash reported in: http://seclists.org/bugtraq/2015/Oct/35 The interface number needs a sanity check. Signed-off-by: Oliver Neukum <oneukum@suse.com> -[bwh: Backported to 4.2: adjust context] +Cc: Vladis Dronov <vdronov@redhat.com> +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> --- drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/patches/series b/debian/patches/series index fbd41c56dd76..2625d1866b95 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -103,7 +103,6 @@ bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch debian/target-fix-abi-change-in-4.2.4.patch debian/signal-fix-abi-change-in-4.2.4.patch -bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch @@ -111,3 +110,5 @@ bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch bugfix/x86/x86-xen-p2m-hint-at-the-last-populated-P2M-entry.patch +bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch +bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch |