diff --git a/kernel.spec b/kernel.spec index 8b279cf..b736df3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -641,6 +641,9 @@ Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch #CVE-2016-2187 rhbz 1317017 1317010 Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch +#CVE-2016-3136 rhbz 1317007 1317010 +Patch687: mct_u232-sanity-checking-in-probe.patch + # END OF PATCH DEFINITIONS %endif @@ -2164,6 +2167,7 @@ fi # %changelog * Tue Mar 22 2016 Josh Boyer +- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010) - CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010) * Tue Mar 22 2016 Josh Boyer - 4.6.0-0.rc0.git19.1 diff --git a/mct_u232-sanity-checking-in-probe.patch b/mct_u232-sanity-checking-in-probe.patch new file mode 100644 index 0000000..006faf1 --- /dev/null +++ b/mct_u232-sanity-checking-in-probe.patch @@ -0,0 +1,35 @@ +Subject: [PATCH v2] mct_u232: sanity checking in probe +From: Oliver Neukum +Date: 2016-03-21 13:14:37 + +An attack using the lack of sanity checking in probe +is known. This patch checks for the existance of a +second port. +CVE-2016-3136 + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org + +v1 - add sanity check for presence of a second port +v2 - add sanity check for an interrupt endpoint +--- + drivers/usb/serial/mct_u232.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c +index 4446b8d..3e64538 100644 +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + { + struct mct_u232_private *priv; + ++ /* check first to simplify error handling */ ++ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb) ++ return -ENODEV; ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; +-- +2.1.4