[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
** Changed in: hwe-next/utopic
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Released
Status in HWE Next utopic series:
Fix Released
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Utopic:
Fix Released
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug was fixed in the package linux - 3.16.0-34.45 --- linux (3.16.0-34.45) utopic; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1435400 [ Andy Whitcroft ] * [Packaging] generate live watchdog blacklists - LP: #1432837 [ Chris J Arges ] * [Config] Add ibmvfc to d-i - LP: #1416001 [ John Johansen ] * SAUCE: (no-up): apparmor: fix mediation of fs unix sockets - LP: #1408833 [ Seth Forshee ] * [Config] updateconfigs - enable X86_UP_APIC_MSI [ Upstream Kernel Changes ] * cdc-acm: add sanity checks - LP: #1413992 * x86: thinkpad_acpi.c: fixed spacing coding style issue - LP: #1417915 * thinkpad_acpi: support new BIOS version string pattern - LP: #1417915 * powernv: Use _GLOBAL_TOC for opal wrappers - LP: #1431196 * Btrfs: clear compress-force when remounting with compress option - LP: #1434183 * Btrfs: send, don't delay dir move if there's a new parent inode - LP: #1434223 * [media] em28xx: fix em28xx-input removal - LP: #1434595 * [media] em28xx: ensure "closing" messages terminate with a newline - LP: #1434595 * [media] em28xx-input: fix missing newlines - LP: #1434595 * [media] em28xx-core: fix missing newlines - LP: #1434595 * [media] em28xx-audio: fix missing newlines - LP: #1434595 * [media] em28xx-audio: fix missing newlines - LP: #1434595 * [media] em28xx-dvb: fix missing newlines - LP: #1434595 * [media] em28xx-video: fix missing newlines - LP: #1434595 * ARM: pxa: add regulator_has_full_constraints to corgi board file - LP: #1434595 * ARM: pxa: add regulator_has_full_constraints to poodle board file - LP: #1434595 * ARM: pxa: add regulator_has_full_constraints to spitz board file - LP: #1434595 * hx4700: regulator: declare full constraints - LP: #1434595 * HID: input: fix confusion on conflicting mappings - LP: #1434595 * HID: fixup the conflicting keyboard mappings quirk - LP: #1434595 * ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses - LP: #1434595 * megaraid_sas: disable interrupt_mask before enabling hardware interrupts - LP: #1434595 * PCI: Generate uppercase hex for modalias var in uevent - LP: #1434595 * usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN - LP: #1434595 * tty/serial: at91: enable peripheral clock before accessing I/O registers - LP: #1434595 * tty/serial: at91: fix error handling in atmel_serial_probe() - LP: #1434595 * axonram: Fix bug in direct_access - LP: #1434595 * btrfs: fix leak of path in btrfs_find_item - LP: #1434595 * ksoftirqd: Enable IRQs and call cond_resched() before poking RCU - LP: #1434595 * TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev - LP: #1434595 * char: tpm: Add missing error check for devm_kzalloc - LP: #1434595 * tpm_tis: verify interrupt during init - LP: #1434595 * tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma - LP: #1434595 * tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send - LP: #1434595 * tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO - LP: #1434595 * mmc: sdhci-pxav3: fix unbalanced clock issues during probe - LP: #1434595 * iwlwifi: mvm: validate tid and sta_id in ba_notif - LP: #1434595 * power: gpio-charger: balance enable/disable_irq_wake calls - LP: #1434595 * power: bq24190: Fix ignored supplicants - LP: #1434595 * ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3 - LP: #1434595 * Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device - LP: #1411193, #1434595 * Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices - LP: #1434595 * cfq-iosched: fix incorrect filing of rt async cfqq - LP: #1434595 * smack: fix possible use after frees in task_security() callers - LP: #1434595 * xfs: ensure buffer types are set correctly - LP: #1434595 * xfs: inode unlink does not set AGI buffer type - LP: #1434595 * xfs: set buf types when converting extent formats - LP: #1434595 * xfs: set superblock buffer type correctly - LP: #1434595 * btrfs: set proper message level for skinny metadata - LP: #1434595 * KVM: s390: base hrtimer on a monotonic clock - LP: #1434595 * KVM: s390: avoid memory leaks if __inject_vm() fails - LP: #1434595 * samsung-laptop: Add use_native_backlight quirk, and enable it on some models - LP: #1434595 * PCI: Fix infinite loop with ROM image of size 0 - LP: #1434595 * USB: cp210x: add ID for RUGGEDCOM USB Serial Console - LP: #1434595 * Bluetooth: Add support for Broadcom BCM20702A1 variant - LP: #1434595 * Bluetooth: Add support for Broadcom BCM20702A0 variants firmware download - LP: #1434595 * Bluetooth: btusb: Add support for Dynex/Insignia USB dongles -
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: hwe-next/trusty
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Released
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Utopic:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug was fixed in the package linux - 3.13.0-49.81 --- linux (3.13.0-49.81) trusty; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1436016 [ Alex Hung ] * SAUCE: ACPI / blacklist: blacklist Win8 OSI for HP Pavilion dv6 - LP: #1416940 [ Andy Whitcroft ] * [Packaging] generate live watchdog blacklists - LP: #1432837 [ Ben Widawsky ] * SAUCE: i915_bdw: drm/i915/bdw: enable eDRAM. - LP: #1430855 [ Chris J Arges ] * [Config] Add ibmvfc to d-i - LP: #1416001 [ Seth Forshee ] * [Config] updateconfigs - enable X86_UP_APIC_MSI [ Upstream Kernel Changes ] * net: add sysfs helpers for netdev_adjacent logic - LP: #1410852 * net: Mark functions as static in core/dev.c - LP: #1410852 * net: rename sysfs symlinks on device name change - LP: #1410852 * btrfs: fix null pointer dereference in clone_fs_devices when name is null - LP: #1429804 * cdc-acm: add sanity checks - LP: #1413992 * x86: thinkpad_acpi.c: fixed spacing coding style issue - LP: #1417915 * thinkpad_acpi: support new BIOS version string pattern - LP: #1417915 * net: sctp: fix slab corruption from use after free on INIT collisions - LP: #1416506 - CVE-2015-1421 * ipv4: try to cache dst_entries which would cause a redirect - LP: #1420027 - CVE-2015-1465 * x86, mm/ASLR: Fix stack randomization on 64-bit systems - LP: #1423757 - CVE-2015-1593 * net: llc: use correct size for sysctl timeout entries - LP: #1425271 - CVE-2015-2041 * net: rds: use correct size for max unacked packets and bytes - LP: #1425274 - CVE-2015-2042 * Btrfs: clear compress-force when remounting with compress option - LP: #1434183 * ext4: merge uninitialized extents - LP: #1430184 * btrfs: filter invalid arg for btrfs resize - LP: #1435441 * Bluetooth: Add firmware update for Atheros 0cf3:311f * Bluetooth: btusb: Add IMC Networks (Broadcom based) * Bluetooth: sort the list of IDs in the source code * Bluetooth: append new supported device to the list [0b05:17d0] * Bluetooth: Add support for Intel bootloader devices * Bluetooth: Ignore isochronous endpoints for Intel USB bootloader * Bluetooth: Add support for Acer [13D3:3432] * Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE motherboard * Add a new PID/VID 0227/0930 for AR3012. * Bluetooth: Add support for Acer [0489:e078] * Bluetooth: Add USB device 04ca:3010 as Atheros AR3012 * x86: mm: move mmap_sem unlock from mm_fault_error() to caller * vm: add VM_FAULT_SIGSEGV handling support * vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS * spi/pxa2xx: Clear cur_chip pointer before starting next message * spi: dw: Fix detecting FIFO depth * spi: dw-mid: fix FIFO size * ASoC: wm8960: Fix capture sample rate from 11250 to 11025 * regulator: core: fix race condition in regulator_put() * ASoC: omap-mcbsp: Correct CBM_CFS dai format configuration * can: c_can: end pending transmission on network stop (ifdown) * nfs: fix dio deadlock when O_DIRECT flag is flipped * NFSv4.1: Fix an Oops in nfs41_walk_client_list * Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) * mac80211: properly set CCK flag in radiotap * nl80211: fix per-station group key get/del and memory leak * i2c: s3c2410: fix ABBA deadlock by keeping clock prepared * usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller * drm/i915: Only fence tiled region of object. * drm/i915: Fix and clean BDW PCH identification * drm/i915: BDW Fix Halo PCI IDs marked as ULT. * ALSA: seq-dummy: remove deadlock-causing events on close * drivers/rtc/rtc-s5m.c: terminate s5m_rtc_id array with empty element * drivers: net: cpsw: discard dual emac default vlan configuration * can: kvaser_usb: Do not sleep in atomic context * can: kvaser_usb: Send correct context to URB completion * can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT * can: kvaser_usb: Fix state handling upon BUS_ERROR events * quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units * rbd: fix rbd_dev_parent_get() when parent_overlap == 0 * rbd: drop parent_ref in rbd_dev_unprobe() unconditionally * dm cache: fix missing ERR_PTR returns and handling * dm thin: don't allow messages to be sent to a pool target in READ_ONLY or FAIL mode * net: cls_bpf: fix size mismatch on filter preparation * net: cls_bpf: fix auto generation of per list handles * ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too * perf: Tighten (and fix) the grouping condition * arc: mm: Fix build failure * MIPS: IRQ: Fix disable_irq on CPU IRQs * Complete oplock break jobs before closing file handle * smpboot: Add missing get_online_cpus() in smpboot_register_percpu_thread() * ASoC: atmel_ssc_dai: fix start event for I2S mo
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Tags removed: verification-needed-trusty verification-needed-utopic
** Tags added: verification-done-trusty verification-done-utopic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Committed
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Utopic:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-trusty
** Tags added: verification-needed-utopic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Committed
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Utopic:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
utopic' to 'verification-done-utopic'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Committed
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Utopic:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu Trusty)
Importance: Undecided => High
** Changed in: linux (Ubuntu Utopic)
Importance: Undecided => High
** Changed in: linux (Ubuntu Trusty)
Assignee: (unassigned) => Adam Lee (adam8157)
** Changed in: linux (Ubuntu Utopic)
Assignee: (unassigned) => Adam Lee (adam8157)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Committed
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Utopic:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Also affects: linux (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Utopic)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Trusty)
Status: New => Fix Committed
** Changed in: linux (Ubuntu Utopic)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Committed
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Utopic:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: hwe-next/trusty
Status: In Progress => Fix Committed
** Changed in: hwe-next/utopic
Status: In Progress => Fix Committed
** Changed in: hwe-next/vivid
Status: In Progress => Fix Committed
** Changed in: hwe-next/vivid
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Committed
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
In Progress
Status in HWE Next trusty series:
In Progress
Status in HWE Next utopic series:
In Progress
Status in HWE Next vivid series:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
patch has been submitted to kernel-team@
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
In Progress
Status in HWE Next trusty series:
In Progress
Status in HWE Next utopic series:
In Progress
Status in HWE Next vivid series:
In Progress
Status in linux package in Ubuntu:
In Progress
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
patch "cdc-acm: add sanity checks" added to usb-next
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
In Progress
Status in HWE Next trusty series:
In Progress
Status in HWE Next utopic series:
In Progress
Status in HWE Next vivid series:
In Progress
Status in linux package in Ubuntu:
In Progress
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Changed in: linux (Ubuntu)
Status: Triaged => In Progress
** Changed in: hwe-next/vivid
Status: Triaged => In Progress
** Changed in: hwe-next/utopic
Status: New => In Progress
** Changed in: hwe-next/trusty
Status: New => In Progress
** Changed in: hwe-next/trusty
Importance: Undecided => High
** Changed in: hwe-next/utopic
Importance: Undecided => High
** Changed in: hwe-next/trusty
Assignee: (unassigned) => Adam Lee (adam8157)
** Changed in: hwe-next/utopic
Assignee: (unassigned) => Adam Lee (adam8157)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
In Progress
Status in HWE Next trusty series:
In Progress
Status in HWE Next utopic series:
In Progress
Status in HWE Next vivid series:
In Progress
Status in linux package in Ubuntu:
In Progress
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
** Also affects: hwe-next/vivid
Importance: High
Assignee: Adam Lee (adam8157)
Status: Triaged
** Also affects: hwe-next/trusty
Importance: Undecided
Status: New
** Also affects: hwe-next/utopic
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Triaged
Status in HWE Next trusty series:
New
Status in HWE Next utopic series:
New
Status in HWE Next vivid series:
Triaged
Status in linux package in Ubuntu:
Triaged
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.d...
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .@..
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
