Fixes USB hub invalid memory access in hub_activate(). Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8816
Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=a706ac408da4994438d995d2cf4d2f7943086ca4 Signed-off-by: Sona Sarmadi <[email protected]> --- recipes-kernel/linux/files/CVE-2015-8816.patch | 96 ++++++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 97 insertions(+) create mode 100644 recipes-kernel/linux/files/CVE-2015-8816.patch diff --git a/recipes-kernel/linux/files/CVE-2015-8816.patch b/recipes-kernel/linux/files/CVE-2015-8816.patch new file mode 100644 index 0000000..a2bc55b --- /dev/null +++ b/recipes-kernel/linux/files/CVE-2015-8816.patch @@ -0,0 +1,96 @@ +From a706ac408da4994438d995d2cf4d2f7943086ca4 Mon Sep 17 00:00:00 2001 +From: Alan Stern <[email protected]> +Date: Wed, 16 Dec 2015 13:32:38 -0500 +Subject: USB: fix invalid memory access in hub_activate() + +commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream. + +Commit 8520f38099cc ("USB: change hub initialization sleeps to +delayed_work") changed the hub_activate() routine to make part of it +run in a workqueue. However, the commit failed to take a reference to +the usb_hub structure or to lock the hub interface while doing so. As +a result, if a hub is plugged in and quickly unplugged before the work +routine can run, the routine will try to access memory that has been +deallocated. Or, if the hub is unplugged while the routine is +running, the memory may be deallocated while it is in active use. + +This patch fixes the problem by taking a reference to the usb_hub at +the start of hub_activate() and releasing it at the end (when the work +is finished), and by locking the hub interface while the work routine +is running. It also adds a check at the start of the routine to see +if the hub has already been disconnected, in which nothing should be +done. + +CVE: CVE-2015-8816 +Upstream-Status: Backport + +Signed-off-by: Alan Stern <[email protected]> +Reported-by: Alexandru Cornea <[email protected]> +Tested-by: Alexandru Cornea <[email protected]> +Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work") +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +Signed-off-by: Sona Sarmadi <[email protected]> +--- + drivers/usb/core/hub.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index a7de5da..fdcf290 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -114,6 +114,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem); + #define HUB_DEBOUNCE_STABLE 100 + + static int usb_reset_and_verify_device(struct usb_device *udev); ++static void hub_release(struct kref *kref); + + static inline char *portspeed(struct usb_hub *hub, int portstatus) + { +@@ -1030,10 +1031,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + unsigned delay; + + /* Continue a partial initialization */ +- if (type == HUB_INIT2) +- goto init2; +- if (type == HUB_INIT3) ++ if (type == HUB_INIT2 || type == HUB_INIT3) { ++ device_lock(hub->intfdev); ++ ++ /* Was the hub disconnected while we were waiting? */ ++ if (hub->disconnected) { ++ device_unlock(hub->intfdev); ++ kref_put(&hub->kref, hub_release); ++ return; ++ } ++ if (type == HUB_INIT2) ++ goto init2; + goto init3; ++ } ++ kref_get(&hub->kref); + + /* The superspeed hub except for root hub has to use Hub Depth + * value as an offset into the route string to locate the bits +@@ -1230,6 +1241,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3); + schedule_delayed_work(&hub->init_work, + msecs_to_jiffies(delay)); ++ device_unlock(hub->intfdev); + return; /* Continues at init3: below */ + } else { + msleep(delay); +@@ -1250,6 +1262,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + /* Allow autosuspend if it was suppressed */ + if (type <= HUB_INIT3) + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); ++ ++ if (type == HUB_INIT2 || type == HUB_INIT3) ++ device_unlock(hub->intfdev); ++ ++ kref_put(&hub->kref, hub_release); + } + + /* Implement the continuations for the delays above */ +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index e3ba079..a9dee4c 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -7,5 +7,6 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \ file://Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch \ file://CVE-2015-8539.patch \ file://CVE-2015-8767.patch \ + file://CVE-2015-8816.patch \ " SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813" -- 1.9.1 -- _______________________________________________ meta-freescale mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-freescale
