[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Tags removed: kernel-bug-break-fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Utopic: Fix Released Status in linux source package in Vivid: Fix Released Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
This bug was fixed in the package linux - 3.13.0-57.95 --- linux (3.13.0-57.95) trusty; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1466592 [ Brad Figg ] * Merged back Ubuntu-3.13.0-55.94 regression fix for security release linux (3.13.0-56.93) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1465798 [ Upstream Kernel Changes ] * net: eth: xgene: devm_ioremap() returns NULL on error - LP: #1458042 * drivers: net: xgene: fix new firmware backward compatibility with older driver - LP: #1458042 * drivers: net: xgene: constify of_device_id array - LP: #1458042 * drivers: net: xgene: Add second SGMII based 1G interface - LP: #1458042 * net: phy: re-design phy_modes to be self-contained - LP: #1458042 * dtb: change binding name to match with newer firmware DT - LP: #1458042 * dtb: xgene: Add second SGMII based 1G interface node - LP: #1458042 * Btrfs: make xattr replace operations atomic - LP: #1438501 - CVE-2014-9710 * cdc-acm: prevent infinite loop when parsing CDC headers. - LP: #1460657 * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series - LP: #1338706, #1449005 * ahci: avoton port-disable reset-quirk - LP: #1458617 * xfs: avoid false quotacheck after unclean shutdown - LP: #1461730 * (upstream)[SCSI] Add timeout to avoid infinite command retry - LP: #1449372 * (upstream)scsi_lib: remove the description string in scsi_io_completion() - LP: #1449372 * udf: Remove repeated loads blocksize - LP: #1462173 - CVE-2015-4167 * udf: Check length of extended attributes and allocation descriptors - LP: #1462173 - CVE-2015-4167 * vfs: read file_handle only once in handle_to_path - LP: #1416503 - CVE-2015-1420 * ozwpan: Use unsigned ints to prevent heap overflow - LP: #1463442 - CVE-2015-4001 * ozwpan: divide-by-zero leading to panic - LP: #1463445 - CVE-2015-4003 * ozwpan: Use proper check to prevent heap overflow - LP: #1463444 - CVE-2015-4002 * ozwpan: unchecked signed subtraction leads to DoS - LP: #1463444 - CVE-2015-4002 * Input: elantech - add new icbody type - LP: #1464490 * Bluetooth: ath3k: Add support Atheros AR5B195 combo Mini PCIe card - LP: #1465796 * power_supply: twl4030_madc: Check return value of power_supply_register - LP: #1465796 * power_supply: lp8788-charger: Fix leaked power supply on probe fail - LP: #1465796 * ARM: dts: dove: Fix uart[23] reg property - LP: #1465796 * xtensa: xtfpga: fix hardware lockup caused by LCD driver - LP: #1465796 * Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open() - LP: #1465796 * xtensa: provide __NR_sync_file_range2 instead of __NR_sync_file_range - LP: #1465796 * KVM: s390: Zero out current VMDB of STSI before including level3 data. - LP: #1465796 * usb: musb: core: fix TX/RX endpoint order - LP: #1465796 * drm/radeon: fix doublescan modes (v2) - LP: #1465796 * usb: phy: Find the right match in devm_usb_phy_match - LP: #1465796 * tools lib traceevent kbuffer: Remove extra update to data pointer in PADDING - LP: #1465796 * ring-buffer: Replace this_cpu_*() with __this_cpu_*() - LP: #1465796 * ASoC: wm8741: Fix rates constraints values - LP: #1465796 * cdc-wdm: fix endianness bug in debug statements - LP: #1465796 * staging: panel: fix lcd type - LP: #1465796 * UBI: account for bitflips in both the VID header and data - LP: #1465796 * UBI: fix out of bounds write - LP: #1465796 * UBI: initialize LEB number variable - LP: #1465796 * UBI: fix check for too many bytes - LP: #1465796 * ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts on Cragganmore - LP: #1465796 * ASoC: davinci-evm: drop un-necessary remove function - LP: #1465796 * iscsi-target: Convert iscsi_thread_set usage to kthread.h - LP: #1465796 * Drivers: hv: vmbus: Don't wait after requesting offers - LP: #1465796 * Btrfs: fix log tree corruption when fs mounted with -o discard - LP: #1465796 * btrfs: don't accept bare namespace as a valid xattr - LP: #1465796 * ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE - LP: #1465796 * rtlwifi: rtl8192cu: Add new USB ID - LP: #1465796 * MIPS: Hibernate: flush TLB entries earlier - LP: #1465796 * ASoC: cs4271: Increase delay time after reset - LP: #1465796 * stk1160: Make sure current buffer is released - LP: #1465796 * mnt: Improve the umount_tree flags - LP: #1465796 * ext4: make fsync to sync parent dir in no-journal for real this time - LP: #1465796 * Input: elantech - fix absolute mode setting on some ASUS laptops - LP: #1465796 * usb: define a generic USB_RESUME_TIMEOUT macro - LP: #1465796 * usb: host: xhci: use new USB_RESUME_TIMEOUT - LP: #1465796 * usb: host:
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
This bug was fixed in the package linux - 3.16.0-43.58 --- linux (3.16.0-43.58) utopic; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1466792 [ Brad Figg ] * Merged back Ubuntu-3.16.0-41.57 regression fix for security release linux (3.16.0-42.56) utopic; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1465714 [ Chris J Arges ] * [config] CONFIG_IPMI_POWERNV=m on ppc64el - LP: #1439562 [ Luis Henriques ] * [Config] Disable CONFIG_USB_OTG - LP: #1411295 [ Upstream Kernel Changes ] * Revert i2c: Mark adapter devices with pm_runtime_no_callbacks - LP: #1465613 * Revert mm/hugetlb: use pmd_page() in follow_huge_pmd() - LP: #1465613 * cdc-acm: prevent infinite loop when parsing CDC headers. - LP: #1460657 * drivers/char/ipmi: Add powernv IPMI driver - LP: #1439562 * powerpc/powernv: Add OPAL IPMI interface - LP: #1439562 * powerpc/powernv: Support OPAL requested heartbeat - LP: #1439562 * powerpc/kernel: Make syscall_exit a local label - LP: #1439562 * powerpc: Remove old compile time disabled syscall tracing code - LP: #1439562 * powerpc/powernv: Remove opal prefix from pr_xxx()s - LP: #1439562 * powerpc/powernv: Separate function for OPAL IRQ setup - LP: #1439562 * powerpc/powernv: Add OPAL message notifier unregister function - LP: #1439562 * device: Add dev_of_node() accessor - LP: #1439562 * drivers/core/of: Add symlink to device-tree from devices with an OF node - LP: #1439562 * powerpc: Add a proper syscall for switching endianness - LP: #1439562 * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series - LP: #1338706, #1449005 * ahci: avoton port-disable reset-quirk - LP: #1458617 * udf: Remove repeated loads blocksize - LP: #1462173 - CVE-2015-4167 * udf: Check length of extended attributes and allocation descriptors - LP: #1462173 - CVE-2015-4167 * (upstream)scsi_lib: remove the description string in scsi_io_completion() - LP: #1449372 * vfs: read file_handle only once in handle_to_path - LP: #1416503 - CVE-2015-1420 * ozwpan: Use unsigned ints to prevent heap overflow - LP: #1463442 - CVE-2015-4001 * ozwpan: divide-by-zero leading to panic - LP: #1463445 - CVE-2015-4003 * ozwpan: Use proper check to prevent heap overflow - LP: #1463444 - CVE-2015-4002 * ozwpan: unchecked signed subtraction leads to DoS - LP: #1463444 - CVE-2015-4002 * net: eth: xgene: devm_ioremap() returns NULL on error - LP: #1458042 * drivers: net: xgene: fix new firmware backward compatibility with older driver - LP: #1458042 * drivers: net: xgene: constify of_device_id array - LP: #1458042 * drivers: net: xgene: Add second SGMII based 1G interface - LP: #1458042 * dtb: change binding name to match with newer firmware DT - LP: #1458042 * dtb: xgene: Add second SGMII based 1G interface node - LP: #1458042 * mlx4: Fix tx ring affinity_mask creation - LP: #1465613 * net/mlx4_en: Schedule napi when RX buffers allocation fails - LP: #1465613 * efi/reboot: Add generic wrapper around EfiResetSystem() - LP: #1465613 * efi/reboot: Allow powering off machines using EFI - LP: #1465613 * x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag - LP: #1465613 * ARC: signal handling robustify - LP: #1465613 * UBI: fix soft lockup in ubi_check_volume() - LP: #1465613 * mnt: Fail collect_mounts when applied to unmounted mounts - LP: #1465613 * ASoC: dapm: Enable autodisable on SOC_DAPM_SINGLE_TLV_AUTODISABLE - LP: #1465613 * ASoC: rt5677: add register patch for PLL - LP: #1465613 * btrfs: unlock i_mutex after attempting to delete subvolume during send - LP: #1465613 * ALSA: hda - Fix mute-LED fixed mode - LP: #1465613 * arm64: dma-mapping: always clear allocated buffers - LP: #1465613 * ALSA: emu10k1: Fix card shortname string buffer overflow - LP: #1465613 * ALSA: emux: Fix mutex deadlock at unloading - LP: #1465613 * drm/radeon: add SI DPM quirk for Sapphire R9 270 Dual-X 2G GDDR5 - LP: #1465613 * SCSI: add 1024 max sectors black list flag - LP: #1465613 * 3w-sas: fix command completion race - LP: #1465613 * 3w-: fix command completion race - LP: #1465613 * 3w-9xxx: fix command completion race - LP: #1465613 * uas: Allow uas_use_uas_driver to return usb-storage flags - LP: #1465613 * uas: Add US_FL_MAX_SECTORS_240 flag - LP: #1465613 * uas: Set max_sectors_240 quirk for ASM1053 devices - LP: #1465613 * usb: chipidea: otg: remove mutex unlock and lock while stop and start role - LP: #1465613 * serial: xilinx: Use platform_get_irq to get irq description structure - LP: #1465613 * serial: of-serial: Remove device_type = serial registration - LP: #1465613 *
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
This patch was in stable tree, and we can't reproduce it actually, so just waive the verification. ** Tags removed: verification-needed-trusty verification-needed-utopic verification-needed-vivid ** Tags added: verification-done-trusty verification-done-utopic verification-done-vivid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty verification-needed-utopic verification-needed-vivid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- vivid' to 'verification-done-vivid'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- utopic' to 'verification-done-utopic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-vivid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Changed in: linux (Ubuntu Vivid) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
This bug was fixed in the package linux - 3.19.0-22.22 --- linux (3.19.0-22.22) vivid; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1465755 [ Tai Nguyen ] * SAUCE: power: reset: Add syscon reboot device node for APM X-Gene platform - LP: #1463211 [ Upstream Kernel Changes ] * Revert dm crypt: fix deadlock when async crypto algorithm returns -EBUSY - LP: #1465696 * Bluetooth: ath3k: Add a new ID 0cf3:e006 to ath3k list - LP: #1459934 * cdc-acm: prevent infinite loop when parsing CDC headers. - LP: #1460657 * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series - LP: #1338706, #1449005 * powerpc/powernv: Check image loaded or not before calling flash - LP: #1461553 * ahci: avoton port-disable reset-quirk - LP: #1458617 * Bluetooth: btusb: support public address configuration for ath3012 - LP: #1459937 * Bluetooth: btusb: Add setup callback for chip init on USB - LP: #1459937 * Bluetooth: btusb: Add support for QCA ROME chipset family - LP: #1459937 * Bluetooth: btusb: Fix incorrect type in qca_device_info - LP: #1459937 * Bluetooth: btusb: Fix minor whitespace issue in QCA ROME device entries - LP: #1459937 * Bluetooth: btusb: Add support for 0cf3:e007 - LP: #1459937 * storvsc: Set the SRB flags correctly when no data transfer is needed - LP: #1439780 * vfs: read file_handle only once in handle_to_path - LP: #1416503 - CVE-2015-1420 * ozwpan: Use unsigned ints to prevent heap overflow - LP: #1463442 - CVE-2015-4001 * ozwpan: divide-by-zero leading to panic - LP: #1463445 - CVE-2015-4003 * ozwpan: Use proper check to prevent heap overflow - LP: #1463444 - CVE-2015-4002 * ozwpan: unchecked signed subtraction leads to DoS - LP: #1463444 - CVE-2015-4002 * enclosure: fix WARN_ON removing an adapter in multi-path devices - LP: #1415178 * ASoC: tfa9879: Fix return value check in tfa9879_i2c_probe() - LP: #1465696 * ASoC: samsung: s3c24xx-i2s: Fix return value check in s3c24xx_iis_dev_probe() - LP: #1465696 * ASoC: dapm: Enable autodisable on SOC_DAPM_SINGLE_TLV_AUTODISABLE - LP: #1465696 * ASoC: rt5677: add register patch for PLL - LP: #1465696 * btrfs: unlock i_mutex after attempting to delete subvolume during send - LP: #1465696 * ALSA: hda - Fix mute-LED fixed mode - LP: #1465696 * ALSA: hda - Add mute-LED mode control to Thinkpad - LP: #1465696 * arm64: dma-mapping: always clear allocated buffers - LP: #1465696 * ALSA: emu10k1: Fix card shortname string buffer overflow - LP: #1465696 * ALSA: emux: Fix mutex deadlock at unloading - LP: #1465696 * drm/radeon: Use drm_calloc_ab for CS relocs - LP: #1465696 * drm/radeon: adjust pll when audio is not enabled - LP: #1465696 * drm/radeon: add SI DPM quirk for Sapphire R9 270 Dual-X 2G GDDR5 - LP: #1465696 * drm/radeon: fix lockup when BOs aren't part of the VM on release - LP: #1465696 * drm/radeon: reset BOs address after clearing it. - LP: #1465696 * drm/radeon: check new address before removing old one - LP: #1465696 * SCSI: add 1024 max sectors black list flag - LP: #1465696 * 3w-sas: fix command completion race - LP: #1465696 * 3w-: fix command completion race - LP: #1465696 * 3w-9xxx: fix command completion race - LP: #1465696 * uas: Allow uas_use_uas_driver to return usb-storage flags - LP: #1465696 * uas: Add US_FL_MAX_SECTORS_240 flag - LP: #1465696 * uas: Set max_sectors_240 quirk for ASM1053 devices - LP: #1465696 * usb: chipidea: otg: remove mutex unlock and lock while stop and start role - LP: #1465696 * serial: xilinx: Use platform_get_irq to get irq description structure - LP: #1465696 * serial: of-serial: Remove device_type = serial registration - LP: #1465696 * tty/serial: at91: maxburst was missing for dma transfers - LP: #1465696 * ALSA: emux: Fix mutex deadlock in OSS emulation - LP: #1465696 * ACPI / SBS: Enable battery manager when present - LP: #1465696 * ALSA: emu10k1: Emu10k2 32 bit DMA mode - LP: #1465696 * ASoC: rt5677: fixed wrong DMIC ref clock - LP: #1465696 * rbd: end I/O the entire obj_request on error - LP: #1465696 * ext4: fix data corruption caused by unwritten and delayed extents - LP: #1465696 * ext4: move check under lock scope to close a race. - LP: #1465696 * powerpc/pseries: Correct cpu affinity for dlpar added cpus - LP: #1465696 * powerpc/powernv: Restore non-volatile CRs after nap - LP: #1465696 * efivarfs: Ensure VariableName is NUL-terminated - LP: #1465696 * x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr - LP: #1465696 * blk-mq: fix race between timeout and CPU hotplug - LP: #1465696 * blk-mq: fix CPU hotplug handling - LP: #1465696 *
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Changed in: linux (Ubuntu Trusty) Importance: Undecided = High ** Changed in: linux (Ubuntu Utopic) Importance: Undecided = High ** Changed in: linux (Ubuntu Vivid) Importance: Undecided = High ** Changed in: linux (Ubuntu Trusty) Assignee: (unassigned) = Adam Lee (adam8157) ** Changed in: linux (Ubuntu Utopic) Assignee: (unassigned) = Adam Lee (adam8157) ** Changed in: linux (Ubuntu Vivid) Assignee: (unassigned) = Adam Lee (adam8157) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Committed Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Changed in: linux (Ubuntu Trusty) Status: Confirmed = Fix Committed ** Changed in: linux (Ubuntu Utopic) Status: Confirmed = Fix Committed ** Changed in: linux (Ubuntu Vivid) Status: Confirmed = Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Committed Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
It's already in stable tree now. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: In Progress Status in linux source package in Trusty: New Status in linux source package in Utopic: New Status in linux source package in Vivid: New Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Description changed: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 - cdc-acm: prevent infinite loop when parsing CDC headers. + cdc-acm: prevent infinite loop when parsing CDC headers. - Phil and I found out a problem with commit: + Phil and I found out a problem with commit: - 7e860a6e7aa6 (cdc-acm: add sanity checks) + 7e860a6e7aa6 (cdc-acm: add sanity checks) - It added some sanity checks to ignore potential garbage in CDC headers but - also introduced a potential infinite loop. This can happen at the first - loop iteration (elength = 0 in that case) if the description isn't a - DT_CS_INTERFACE or later if 'buffer[0]' is zero. + It added some sanity checks to ignore potential garbage in CDC headers but + also introduced a potential infinite loop. This can happen at the first + loop iteration (elength = 0 in that case) if the description isn't a + DT_CS_INTERFACE or later if 'buffer[0]' is zero. - It should also be noted that the wrong length was being added to 'buffer' - in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was - assigned after that check in the loop. + It should also be noted that the wrong length was being added to 'buffer' + in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was + assigned after that check in the loop. - A specially crafted USB device could be used to trigger this + A specially crafted USB device could be used to trigger this infinite loop. - Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) - Signed-off-by: Phil Turnbull phil.turnb...@oracle.com - Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com - CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com - CC: Oliver Neukum oneu...@suse.de - CC: Adam Lee adam8...@gmail.com - CC: sta...@vger.kernel.org - Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org + Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) + Signed-off-by: Phil Turnbull phil.turnb...@oracle.com + Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com + CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com + CC: Oliver Neukum oneu...@suse.de + CC: Adam Lee adam8...@gmail.com + CC: sta...@vger.kernel.org + Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org + + === + break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e ** Tags added: kernel-bug-break-fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: In Progress Status in linux source package in Trusty: New Status in linux source package in Utopic: New Status in linux source package in Vivid: New Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Changed in: linux (Ubuntu Trusty) Status: New = Confirmed ** Changed in: linux (Ubuntu Utopic) Status: New = Confirmed ** Changed in: linux (Ubuntu Vivid) Status: New = Confirmed ** Changed in: linux (Ubuntu) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Confirmed Status in linux source package in Utopic: Confirmed Status in linux source package in Vivid: Confirmed Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1460657] Re: possible infinite loop when parsing CDC headers
** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Utopic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Vivid) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers Status in linux package in Ubuntu: In Progress Status in linux source package in Trusty: New Status in linux source package in Utopic: New Status in linux source package in Vivid: New Bug description: Bug #1413992 's patch introduced a possible infinite loop. commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas quentin.casasno...@oracle.com Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 (cdc-acm: add sanity checks) It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 (cdc-acm: add sanity checks) Signed-off-by: Phil Turnbull phil.turnb...@oracle.com Signed-off-by: Quentin Casasnovas quentin.casasno...@oracle.com CC: Sergei Shtylyov sergei.shtyl...@cogentembedded.com CC: Oliver Neukum oneu...@suse.de CC: Adam Lee adam8...@gmail.com CC: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org === break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
