[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released ** Changed in: hwe-next/utopic Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Released Status in HWE Next utopic series: Fix Released Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Utopic: Fix Released Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug was fixed in the package linux - 3.16.0-34.45 --- linux (3.16.0-34.45) utopic; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1435400 [ Andy Whitcroft ] * [Packaging] generate live watchdog blacklists - LP: #1432837 [ Chris J Arges ] * [Config] Add ibmvfc to d-i - LP: #1416001 [ John Johansen ] * SAUCE: (no-up): apparmor: fix mediation of fs unix sockets - LP: #1408833 [ Seth Forshee ] * [Config] updateconfigs - enable X86_UP_APIC_MSI [ Upstream Kernel Changes ] * cdc-acm: add sanity checks - LP: #1413992 * x86: thinkpad_acpi.c: fixed spacing coding style issue - LP: #1417915 * thinkpad_acpi: support new BIOS version string pattern - LP: #1417915 * powernv: Use _GLOBAL_TOC for opal wrappers - LP: #1431196 * Btrfs: clear compress-force when remounting with compress option - LP: #1434183 * Btrfs: send, don't delay dir move if there's a new parent inode - LP: #1434223 * [media] em28xx: fix em28xx-input removal - LP: #1434595 * [media] em28xx: ensure "closing" messages terminate with a newline - LP: #1434595 * [media] em28xx-input: fix missing newlines - LP: #1434595 * [media] em28xx-core: fix missing newlines - LP: #1434595 * [media] em28xx-audio: fix missing newlines - LP: #1434595 * [media] em28xx-audio: fix missing newlines - LP: #1434595 * [media] em28xx-dvb: fix missing newlines - LP: #1434595 * [media] em28xx-video: fix missing newlines - LP: #1434595 * ARM: pxa: add regulator_has_full_constraints to corgi board file - LP: #1434595 * ARM: pxa: add regulator_has_full_constraints to poodle board file - LP: #1434595 * ARM: pxa: add regulator_has_full_constraints to spitz board file - LP: #1434595 * hx4700: regulator: declare full constraints - LP: #1434595 * HID: input: fix confusion on conflicting mappings - LP: #1434595 * HID: fixup the conflicting keyboard mappings quirk - LP: #1434595 * ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses - LP: #1434595 * megaraid_sas: disable interrupt_mask before enabling hardware interrupts - LP: #1434595 * PCI: Generate uppercase hex for modalias var in uevent - LP: #1434595 * usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN - LP: #1434595 * tty/serial: at91: enable peripheral clock before accessing I/O registers - LP: #1434595 * tty/serial: at91: fix error handling in atmel_serial_probe() - LP: #1434595 * axonram: Fix bug in direct_access - LP: #1434595 * btrfs: fix leak of path in btrfs_find_item - LP: #1434595 * ksoftirqd: Enable IRQs and call cond_resched() before poking RCU - LP: #1434595 * TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev - LP: #1434595 * char: tpm: Add missing error check for devm_kzalloc - LP: #1434595 * tpm_tis: verify interrupt during init - LP: #1434595 * tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma - LP: #1434595 * tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send - LP: #1434595 * tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO - LP: #1434595 * mmc: sdhci-pxav3: fix unbalanced clock issues during probe - LP: #1434595 * iwlwifi: mvm: validate tid and sta_id in ba_notif - LP: #1434595 * power: gpio-charger: balance enable/disable_irq_wake calls - LP: #1434595 * power: bq24190: Fix ignored supplicants - LP: #1434595 * ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3 - LP: #1434595 * Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device - LP: #1411193, #1434595 * Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices - LP: #1434595 * cfq-iosched: fix incorrect filing of rt async cfqq - LP: #1434595 * smack: fix possible use after frees in task_security() callers - LP: #1434595 * xfs: ensure buffer types are set correctly - LP: #1434595 * xfs: inode unlink does not set AGI buffer type - LP: #1434595 * xfs: set buf types when converting extent formats - LP: #1434595 * xfs: set superblock buffer type correctly - LP: #1434595 * btrfs: set proper message level for skinny metadata - LP: #1434595 * KVM: s390: base hrtimer on a monotonic clock - LP: #1434595 * KVM: s390: avoid memory leaks if __inject_vm() fails - LP: #1434595 * samsung-laptop: Add use_native_backlight quirk, and enable it on some models - LP: #1434595 * PCI: Fix infinite loop with ROM image of size 0 - LP: #1434595 * USB: cp210x: add ID for RUGGEDCOM USB Serial Console - LP: #1434595 * Bluetooth: Add support for Broadcom BCM20702A1 variant - LP: #1434595 * Bluetooth: Add support for Broadcom BCM20702A0 variants firmware download - LP: #1434595 * Bluetooth: btusb: Add support for Dynex/Insignia USB dongles -
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: hwe-next/trusty Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Released Status in HWE Next utopic series: Fix Committed Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Released Status in linux source package in Utopic: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug was fixed in the package linux - 3.13.0-49.81 --- linux (3.13.0-49.81) trusty; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1436016 [ Alex Hung ] * SAUCE: ACPI / blacklist: blacklist Win8 OSI for HP Pavilion dv6 - LP: #1416940 [ Andy Whitcroft ] * [Packaging] generate live watchdog blacklists - LP: #1432837 [ Ben Widawsky ] * SAUCE: i915_bdw: drm/i915/bdw: enable eDRAM. - LP: #1430855 [ Chris J Arges ] * [Config] Add ibmvfc to d-i - LP: #1416001 [ Seth Forshee ] * [Config] updateconfigs - enable X86_UP_APIC_MSI [ Upstream Kernel Changes ] * net: add sysfs helpers for netdev_adjacent logic - LP: #1410852 * net: Mark functions as static in core/dev.c - LP: #1410852 * net: rename sysfs symlinks on device name change - LP: #1410852 * btrfs: fix null pointer dereference in clone_fs_devices when name is null - LP: #1429804 * cdc-acm: add sanity checks - LP: #1413992 * x86: thinkpad_acpi.c: fixed spacing coding style issue - LP: #1417915 * thinkpad_acpi: support new BIOS version string pattern - LP: #1417915 * net: sctp: fix slab corruption from use after free on INIT collisions - LP: #1416506 - CVE-2015-1421 * ipv4: try to cache dst_entries which would cause a redirect - LP: #1420027 - CVE-2015-1465 * x86, mm/ASLR: Fix stack randomization on 64-bit systems - LP: #1423757 - CVE-2015-1593 * net: llc: use correct size for sysctl timeout entries - LP: #1425271 - CVE-2015-2041 * net: rds: use correct size for max unacked packets and bytes - LP: #1425274 - CVE-2015-2042 * Btrfs: clear compress-force when remounting with compress option - LP: #1434183 * ext4: merge uninitialized extents - LP: #1430184 * btrfs: filter invalid arg for btrfs resize - LP: #1435441 * Bluetooth: Add firmware update for Atheros 0cf3:311f * Bluetooth: btusb: Add IMC Networks (Broadcom based) * Bluetooth: sort the list of IDs in the source code * Bluetooth: append new supported device to the list [0b05:17d0] * Bluetooth: Add support for Intel bootloader devices * Bluetooth: Ignore isochronous endpoints for Intel USB bootloader * Bluetooth: Add support for Acer [13D3:3432] * Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE motherboard * Add a new PID/VID 0227/0930 for AR3012. * Bluetooth: Add support for Acer [0489:e078] * Bluetooth: Add USB device 04ca:3010 as Atheros AR3012 * x86: mm: move mmap_sem unlock from mm_fault_error() to caller * vm: add VM_FAULT_SIGSEGV handling support * vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS * spi/pxa2xx: Clear cur_chip pointer before starting next message * spi: dw: Fix detecting FIFO depth * spi: dw-mid: fix FIFO size * ASoC: wm8960: Fix capture sample rate from 11250 to 11025 * regulator: core: fix race condition in regulator_put() * ASoC: omap-mcbsp: Correct CBM_CFS dai format configuration * can: c_can: end pending transmission on network stop (ifdown) * nfs: fix dio deadlock when O_DIRECT flag is flipped * NFSv4.1: Fix an Oops in nfs41_walk_client_list * Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) * mac80211: properly set CCK flag in radiotap * nl80211: fix per-station group key get/del and memory leak * i2c: s3c2410: fix ABBA deadlock by keeping clock prepared * usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller * drm/i915: Only fence tiled region of object. * drm/i915: Fix and clean BDW PCH identification * drm/i915: BDW Fix Halo PCI IDs marked as ULT. * ALSA: seq-dummy: remove deadlock-causing events on close * drivers/rtc/rtc-s5m.c: terminate s5m_rtc_id array with empty element * drivers: net: cpsw: discard dual emac default vlan configuration * can: kvaser_usb: Do not sleep in atomic context * can: kvaser_usb: Send correct context to URB completion * can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT * can: kvaser_usb: Fix state handling upon BUS_ERROR events * quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units * rbd: fix rbd_dev_parent_get() when parent_overlap == 0 * rbd: drop parent_ref in rbd_dev_unprobe() unconditionally * dm cache: fix missing ERR_PTR returns and handling * dm thin: don't allow messages to be sent to a pool target in READ_ONLY or FAIL mode * net: cls_bpf: fix size mismatch on filter preparation * net: cls_bpf: fix auto generation of per list handles * ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too * perf: Tighten (and fix) the grouping condition * arc: mm: Fix build failure * MIPS: IRQ: Fix disable_irq on CPU IRQs * Complete oplock break jobs before closing file handle * smpboot: Add missing get_online_cpus() in smpboot_register_percpu_thread() * ASoC: atmel_ssc_dai: fix start event for I2S mo
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Tags removed: verification-needed-trusty verification-needed-utopic ** Tags added: verification-done-trusty verification-done-utopic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Committed Status in HWE Next utopic series: Fix Committed Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty ** Tags added: verification-needed-utopic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Committed Status in HWE Next utopic series: Fix Committed Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- utopic' to 'verification-done-utopic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Committed Status in HWE Next utopic series: Fix Committed Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux (Ubuntu Utopic) Importance: Undecided => High ** Changed in: linux (Ubuntu Trusty) Assignee: (unassigned) => Adam Lee (adam8157) ** Changed in: linux (Ubuntu Utopic) Assignee: (unassigned) => Adam Lee (adam8157) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Committed Status in HWE Next utopic series: Fix Committed Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Utopic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Status: New => Fix Committed ** Changed in: linux (Ubuntu Utopic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Committed Status in HWE Next utopic series: Fix Committed Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: hwe-next/trusty Status: In Progress => Fix Committed ** Changed in: hwe-next/utopic Status: In Progress => Fix Committed ** Changed in: hwe-next/vivid Status: In Progress => Fix Committed ** Changed in: hwe-next/vivid Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Fix Released Status in HWE Next trusty series: Fix Committed Status in HWE Next utopic series: Fix Committed Status in HWE Next vivid series: Fix Released Status in linux package in Ubuntu: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: In Progress Status in HWE Next trusty series: In Progress Status in HWE Next utopic series: In Progress Status in HWE Next vivid series: In Progress Status in linux package in Ubuntu: Fix Committed Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
patch has been submitted to kernel-team@ -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: In Progress Status in HWE Next trusty series: In Progress Status in HWE Next utopic series: In Progress Status in HWE Next vivid series: In Progress Status in linux package in Ubuntu: In Progress Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
patch "cdc-acm: add sanity checks" added to usb-next -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: In Progress Status in HWE Next trusty series: In Progress Status in HWE Next utopic series: In Progress Status in HWE Next vivid series: In Progress Status in linux package in Ubuntu: In Progress Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu) Status: Triaged => In Progress ** Changed in: hwe-next/vivid Status: Triaged => In Progress ** Changed in: hwe-next/utopic Status: New => In Progress ** Changed in: hwe-next/trusty Status: New => In Progress ** Changed in: hwe-next/trusty Importance: Undecided => High ** Changed in: hwe-next/utopic Importance: Undecided => High ** Changed in: hwe-next/trusty Assignee: (unassigned) => Adam Lee (adam8157) ** Changed in: hwe-next/utopic Assignee: (unassigned) => Adam Lee (adam8157) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: In Progress Status in HWE Next trusty series: In Progress Status in HWE Next utopic series: In Progress Status in HWE Next vivid series: In Progress Status in linux package in Ubuntu: In Progress Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Also affects: hwe-next/vivid Importance: High Assignee: Adam Lee (adam8157) Status: Triaged ** Also affects: hwe-next/trusty Importance: Undecided Status: New ** Also affects: hwe-next/utopic Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1413992 Title: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor. Status in HWE Next Project: Triaged Status in HWE Next trusty series: New Status in HWE Next utopic series: New Status in HWE Next vivid series: Triaged Status in linux package in Ubuntu: Triaged Bug description: Invalid configuration descriptor as follows: #+BEGIN_SRC text 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d... 0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$... 0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$.. 0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@.. 0040 20 00 ff .. #+END_SRC text In particular, the CDC Call Management Descriptor has its length declared too short (4 instead of 5), and the following CDC Union Descriptor is therefore unreachable. *** Code problems: 1. The ~while (buflen > 0)~ loop that parses the interface aux data does not perform correct boundary checking. In the above case, ~call_interface_num = buffer[4];~ accesses outside of the (declared) descriptor content. 2. If a union header is missing, there is no code path that checks whether the ~data_interface~ (resolved from ~call_interface_num~) actually exists. Later ~if (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences ~data_interface~. ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551 issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp