kernel-packages team mailing list archive

Thread
Date
[Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1413992@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Apr 2015 15:40:29 -0000
Reply-to: Bug 1413992 <1413992@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package linux - 3.13.0-49.81

---------------
linux (3.13.0-49.81) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1436016

  [ Alex Hung ]

  * SAUCE: ACPI / blacklist: blacklist Win8 OSI for HP Pavilion dv6
    - LP: #1416940

  [ Andy Whitcroft ]

  * [Packaging] generate live watchdog blacklists
    - LP: #1432837

  [ Ben Widawsky ]

  * SAUCE: i915_bdw: drm/i915/bdw: enable eDRAM.
    - LP: #1430855

  [ Chris J Arges ]

  * [Config] Add ibmvfc to d-i
    - LP: #1416001

  [ Seth Forshee ]

  * [Config] updateconfigs - enable X86_UP_APIC_MSI

  [ Upstream Kernel Changes ]

  * net: add sysfs helpers for netdev_adjacent logic
    - LP: #1410852
  * net: Mark functions as static in core/dev.c
    - LP: #1410852
  * net: rename sysfs symlinks on device name change
    - LP: #1410852
  * btrfs: fix null pointer dereference in clone_fs_devices when name is
    null
    - LP: #1429804
  * cdc-acm: add sanity checks
    - LP: #1413992
  * x86: thinkpad_acpi.c: fixed spacing coding style issue
    - LP: #1417915
  * thinkpad_acpi: support new BIOS version string pattern
    - LP: #1417915
  * net: sctp: fix slab corruption from use after free on INIT collisions
    - LP: #1416506
    - CVE-2015-1421
  * ipv4: try to cache dst_entries which would cause a redirect
    - LP: #1420027
    - CVE-2015-1465
  * x86, mm/ASLR: Fix stack randomization on 64-bit systems
    - LP: #1423757
    - CVE-2015-1593
  * net: llc: use correct size for sysctl timeout entries
    - LP: #1425271
    - CVE-2015-2041
  * net: rds: use correct size for max unacked packets and bytes
    - LP: #1425274
    - CVE-2015-2042
  * Btrfs: clear compress-force when remounting with compress option
    - LP: #1434183
  * ext4: merge uninitialized extents
    - LP: #1430184
  * btrfs: filter invalid arg for btrfs resize
    - LP: #1435441
  * Bluetooth: Add firmware update for Atheros 0cf3:311f
  * Bluetooth: btusb: Add IMC Networks (Broadcom based)
  * Bluetooth: sort the list of IDs in the source code
  * Bluetooth: append new supported device to the list [0b05:17d0]
  * Bluetooth: Add support for Intel bootloader devices
  * Bluetooth: Ignore isochronous endpoints for Intel USB bootloader
  * Bluetooth: Add support for Acer [13D3:3432]
  * Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE
    motherboard
  * Add a new PID/VID 0227/0930 for AR3012.
  * Bluetooth: Add support for Acer [0489:e078]
  * Bluetooth: Add USB device 04ca:3010 as Atheros AR3012
  * x86: mm: move mmap_sem unlock from mm_fault_error() to caller
  * vm: add VM_FAULT_SIGSEGV handling support
  * vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than
    SIGBUS
  * spi/pxa2xx: Clear cur_chip pointer before starting next message
  * spi: dw: Fix detecting FIFO depth
  * spi: dw-mid: fix FIFO size
  * ASoC: wm8960: Fix capture sample rate from 11250 to 11025
  * regulator: core: fix race condition in regulator_put()
  * ASoC: omap-mcbsp: Correct CBM_CFS dai format configuration
  * can: c_can: end pending transmission on network stop (ifdown)
  * nfs: fix dio deadlock when O_DIRECT flag is flipped
  * NFSv4.1: Fix an Oops in nfs41_walk_client_list
  * Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857)
  * mac80211: properly set CCK flag in radiotap
  * nl80211: fix per-station group key get/del and memory leak
  * i2c: s3c2410: fix ABBA deadlock by keeping clock prepared
  * usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA
    controller
  * drm/i915: Only fence tiled region of object.
  * drm/i915: Fix and clean BDW PCH identification
  * drm/i915: BDW Fix Halo PCI IDs marked as ULT.
  * ALSA: seq-dummy: remove deadlock-causing events on close
  * drivers/rtc/rtc-s5m.c: terminate s5m_rtc_id array with empty element
  * drivers: net: cpsw: discard dual emac default vlan configuration
  * can: kvaser_usb: Do not sleep in atomic context
  * can: kvaser_usb: Send correct context to URB completion
  * can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT
  * can: kvaser_usb: Fix state handling upon BUS_ERROR events
  * quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space
    units
  * rbd: fix rbd_dev_parent_get() when parent_overlap == 0
  * rbd: drop parent_ref in rbd_dev_unprobe() unconditionally
  * dm cache: fix missing ERR_PTR returns and handling
  * dm thin: don't allow messages to be sent to a pool target in READ_ONLY
    or FAIL mode
  * net: cls_bpf: fix size mismatch on filter preparation
  * net: cls_bpf: fix auto generation of per list handles
  * ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos
    too
  * perf: Tighten (and fix) the grouping condition
  * arc: mm: Fix build failure
  * MIPS: IRQ: Fix disable_irq on CPU IRQs
  * Complete oplock break jobs before closing file handle
  * smpboot: Add missing get_online_cpus() in
    smpboot_register_percpu_thread()
  * ASoC: atmel_ssc_dai: fix start event for I2S mode
  * spi: fsl-dspi: Fix memory leak
  * spi: spi-fsl-dspi: Remove usage of devm_kzalloc
  * ALSA: ak411x: Fix stall in work callback
  * lib/checksum.c: fix carry in csum_tcpudp_nofold
  * MIPS: Fix kernel lockup or crash after CPU offline/online
  * gpio: sysfs: fix memory leak in gpiod_export_link
  * gpio: sysfs: fix memory leak in gpiod_sysfs_set_active_low
  * PCI: Add NEC variants to Stratus ftServer PCIe DMI check
  * ASoC: sgtl5000: add delay before first I2C access
  * PCI: Handle read-only BARs on AMD CS553x devices
  * mm: pagewalk: call pte_hole() for VM_PFNMAP during walk_page_range
  * nilfs2: fix deadlock of segment constructor over I_SYNC flag
  * tcp: ipv4: initialize unicast_sock sk_pacing_rate
  * caif: remove wrong dev_net_set() call
  * qlge: Fix qlge_update_hw_vlan_features to handle if interface is down
  * ip6_gre: fix endianness errors in ip6gre_err
  * spi: dw: revisit FIFO size detection again
  * Linux 3.13.11-ckt17
 -- Kamal Mostafa <kamal@xxxxxxxxxxxxx>   Tue, 24 Mar 2015 11:58:44 -0700

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1421

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1465

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1593

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-2041

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-2042

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992

Title:
  Kernel oopses on access to address 0x8 when cdc-acm device is inserted
  with invalid descriptor.

Status in HWE Next Project:
  Fix Released
Status in HWE Next trusty series:
  Fix Committed
Status in HWE Next utopic series:
  Fix Committed
Status in HWE Next vivid series:
  Fix Released
Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Utopic:
  Fix Committed

Bug description:
  Invalid configuration descriptor as follows:

  #+BEGIN_SRC text
  0000   09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02  ..C.....d.......
  0010   00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01  ...$....$...$...
  0020   05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00  .$..............
  0030   02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02  .........@......
  0040   20 00 ff                                          ..
  #+END_SRC text

  In particular, the CDC Call Management Descriptor has its length
  declared too short (4 instead of 5), and the following CDC Union
  Descriptor is therefore unreachable.

  *** Code problems:

  1. The ~while (buflen > 0)~ loop that parses the interface aux data
     does not perform correct boundary checking.  In the above case,
     ~call_interface_num = buffer[4];~ accesses outside of the
     (declared) descriptor content.
  2. If a union header is missing, there is no code path that checks
     whether the ~data_interface~ (resolved from ~call_interface_num~)
     actually exists.  Later ~if
     (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
     ~data_interface~.

  ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551

  issue 2 was already fixed, issue 1's fix is in progress of upstream
  merging, open this bug to track.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
References

[Bug 1413992] [NEW] Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
From: Adam Lee, 2015-01-23