kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #111978
[Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
This bug was fixed in the package linux - 3.16.0-34.45
---------------
linux (3.16.0-34.45) utopic; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1435400
[ Andy Whitcroft ]
* [Packaging] generate live watchdog blacklists
- LP: #1432837
[ Chris J Arges ]
* [Config] Add ibmvfc to d-i
- LP: #1416001
[ John Johansen ]
* SAUCE: (no-up): apparmor: fix mediation of fs unix sockets
- LP: #1408833
[ Seth Forshee ]
* [Config] updateconfigs - enable X86_UP_APIC_MSI
[ Upstream Kernel Changes ]
* cdc-acm: add sanity checks
- LP: #1413992
* x86: thinkpad_acpi.c: fixed spacing coding style issue
- LP: #1417915
* thinkpad_acpi: support new BIOS version string pattern
- LP: #1417915
* powernv: Use _GLOBAL_TOC for opal wrappers
- LP: #1431196
* Btrfs: clear compress-force when remounting with compress option
- LP: #1434183
* Btrfs: send, don't delay dir move if there's a new parent inode
- LP: #1434223
* [media] em28xx: fix em28xx-input removal
- LP: #1434595
* [media] em28xx: ensure "closing" messages terminate with a newline
- LP: #1434595
* [media] em28xx-input: fix missing newlines
- LP: #1434595
* [media] em28xx-core: fix missing newlines
- LP: #1434595
* [media] em28xx-audio: fix missing newlines
- LP: #1434595
* [media] em28xx-audio: fix missing newlines
- LP: #1434595
* [media] em28xx-dvb: fix missing newlines
- LP: #1434595
* [media] em28xx-video: fix missing newlines
- LP: #1434595
* ARM: pxa: add regulator_has_full_constraints to corgi board file
- LP: #1434595
* ARM: pxa: add regulator_has_full_constraints to poodle board file
- LP: #1434595
* ARM: pxa: add regulator_has_full_constraints to spitz board file
- LP: #1434595
* hx4700: regulator: declare full constraints
- LP: #1434595
* HID: input: fix confusion on conflicting mappings
- LP: #1434595
* HID: fixup the conflicting keyboard mappings quirk
- LP: #1434595
* ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses
- LP: #1434595
* megaraid_sas: disable interrupt_mask before enabling hardware
interrupts
- LP: #1434595
* PCI: Generate uppercase hex for modalias var in uevent
- LP: #1434595
* usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN
- LP: #1434595
* tty/serial: at91: enable peripheral clock before accessing I/O
registers
- LP: #1434595
* tty/serial: at91: fix error handling in atmel_serial_probe()
- LP: #1434595
* axonram: Fix bug in direct_access
- LP: #1434595
* btrfs: fix leak of path in btrfs_find_item
- LP: #1434595
* ksoftirqd: Enable IRQs and call cond_resched() before poking RCU
- LP: #1434595
* TPM: Add new TPMs to the tail of the list to prevent inadvertent change
of dev
- LP: #1434595
* char: tpm: Add missing error check for devm_kzalloc
- LP: #1434595
* tpm_tis: verify interrupt during init
- LP: #1434595
* tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma
- LP: #1434595
* tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send
- LP: #1434595
* tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO
- LP: #1434595
* mmc: sdhci-pxav3: fix unbalanced clock issues during probe
- LP: #1434595
* iwlwifi: mvm: validate tid and sta_id in ba_notif
- LP: #1434595
* power: gpio-charger: balance enable/disable_irq_wake calls
- LP: #1434595
* power: bq24190: Fix ignored supplicants
- LP: #1434595
* ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3
- LP: #1434595
* Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device
- LP: #1411193, #1434595
* Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices
- LP: #1434595
* cfq-iosched: fix incorrect filing of rt async cfqq
- LP: #1434595
* smack: fix possible use after frees in task_security() callers
- LP: #1434595
* xfs: ensure buffer types are set correctly
- LP: #1434595
* xfs: inode unlink does not set AGI buffer type
- LP: #1434595
* xfs: set buf types when converting extent formats
- LP: #1434595
* xfs: set superblock buffer type correctly
- LP: #1434595
* btrfs: set proper message level for skinny metadata
- LP: #1434595
* KVM: s390: base hrtimer on a monotonic clock
- LP: #1434595
* KVM: s390: avoid memory leaks if __inject_vm() fails
- LP: #1434595
* samsung-laptop: Add use_native_backlight quirk, and enable it on some
models
- LP: #1434595
* PCI: Fix infinite loop with ROM image of size 0
- LP: #1434595
* USB: cp210x: add ID for RUGGEDCOM USB Serial Console
- LP: #1434595
* Bluetooth: Add support for Broadcom BCM20702A1 variant
- LP: #1434595
* Bluetooth: Add support for Broadcom BCM20702A0 variants firmware
download
- LP: #1434595
* Bluetooth: btusb: Add support for Dynex/Insignia USB dongles
- LP: #1434595
* clk: zynq: Force CPU_2X clock to be ungated
- LP: #1434595
* mmc: sdhci-pxav3: Remove checks for mandatory host clock
- LP: #1434595
* mmc: sdhci-pxav3: fix race between runtime pm and irq
- LP: #1434595
* power_supply: 88pm860x: Fix leaked power supply on probe fail
- LP: #1434595
* staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back
- LP: #1434595
* mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles
- LP: #1434595
* mmc: sdhci-pxav3: Fix SDR50 and DDR50 capabilities for the Armada 38x
flavor
- LP: #1434595
* mmc: sdhci-pxav3: Fix Armada 38x controller's caps according to erratum
ERR-7878951
- LP: #1434595
* ARM: 8284/1: sa1100: clear RCSR_SMR on resume
- LP: #1434595
* [media] si2168: define symbol rate limits
- LP: #1434595
* nfs: don't call blocking operations while !TASK_RUNNING
- LP: #1434595
* USB: add flag for HCDs that can't receive wakeup requests (isp1760-hcd)
- LP: #1434595
* USB: fix use-after-free bug in usb_hcd_unlink_urb()
- LP: #1434595
* iwlwifi: mvm: always use mac color zero
- LP: #1434595
* iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN
- LP: #1434595
* iwlwifi: mvm: fix failure path when power_update fails in add_interface
- LP: #1434595
* vt: provide notifications on selection changes
- LP: #1434595
* tty: Prevent untrappable signals from malicious program
- LP: #1434595
* serial: fsl_lpuart: delete timer on shutdown
- LP: #1434595
* serial: fsl_lpuart: avoid new transfer while DMA is running
- LP: #1434595
* cpufreq: Set cpufreq_cpu_data to NULL before putting kobject
- LP: #1434595
* Bluetooth: btusb: Add support for Lite-On (04ca) Broadcom based,
BCM43142
- LP: #1434595
* nfs41: .init_read and .init_write can be called with valid pg_lseg
- LP: #1434595
* [media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in
interrupt urb
- LP: #1434595
* mei: mask interrupt set bit on clean reset bit
- LP: #1434595
* mei: me: release hw from reset only during the reset flow
- LP: #1434595
* KVM: MIPS: Don't leak FPU/DSP to guest
- LP: #1434595
* ALSA: hda - Add the pin fixup for HP Envy TS bass speaker
- LP: #1434595
* ALSA: hda - Set up GPIO for Toshiba Satellite S50D
- LP: #1434595
* xen/manage: Fix USB interaction issues when resuming
- LP: #1434595
* ACPI / video: Add some Samsung models to disable_native_backlight list
- LP: #1434595
* ACPI / video: Add disable_native_backlight quirk for Dell XPS15 L521X
- LP: #1434595
* ACPI / video: Add disable_native_backlight quirk for Samsung
730U3E/740U3E
- LP: #1434595
* ACPI / video: Add disable_native_backlight quirk for Samsung 510R
- LP: #1434595
* KVM: s390: floating irqs: fix user triggerable endless loop
- LP: #1434595
* drm/i915: Correct the IOSF Dev_FN field for IOSF transfers
- LP: #1434595
* cfq-iosched: handle failure of cfq group allocation
- LP: #1434595
* tracing: Fix unmapping loop in tracing_mark_write
- LP: #1434595
* fsnotify: fix handling of renames in audit
- LP: #1434595
* ring-buffer: Do not wake up a splice waiter when page is not full
- LP: #1434595
* blk-mq: fix double-free in error path
- LP: #1434595
* drm/radeon: workaround for CP HW bug on CIK
- LP: #1434595
* drm/radeon: only enable kv/kb dpm interrupts once v3
- LP: #1434595
* NFSv4.1: Fix a kfree() of uninitialised pointers in
decode_cb_sequence_args
- LP: #1434595
* cpufreq: speedstep-smi: enable interrupts when waiting
- LP: #1434595
* mm/hugetlb: pmd_huge() returns true for non-present hugepage
- LP: #1434595
* mm/hugetlb: take page table lock in follow_huge_pmd()
- LP: #1434595
* mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()
- LP: #1434595
* mm/hugetlb: add migration/hwpoisoned entry check in
hugetlb_change_protection
- LP: #1434595
* mm/hugetlb: add migration entry check in __unmap_hugepage_range
- LP: #1434595
* mm: when stealing freepages, also take pages created by splitting buddy
page
- LP: #1434595
* mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()
- LP: #1434595
* mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
- LP: #1434595
* iscsi-target: Drop problematic active_ts_list usage
- LP: #1434595
* target: Fix PR_APTPL_BUF_LEN buffer size limitation
- LP: #1434595
* mm/compaction: fix wrong order check in compact_finished()
- LP: #1434595
* mm/memory.c: actually remap enough memory
- LP: #1434595
* mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page()
- LP: #1434595
* ALSA: hda - enable mute led quirk for one more hp machine.
- LP: #1410704, #1434595
* ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE
- LP: #1434595
* drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary
- LP: #1434595
* drm/radeon: fix voltage setup on hawaii
- LP: #1434595
* ALSA: hdspm - Constrain periods to 2 on older cards
- LP: #1434595
* jffs2: fix handling of corrupted summary length
- LP: #1434595
* dm mirror: do not degrade the mirror on discard error
- LP: #1434595
* dm io: reject unsupported DISCARD requests with EOPNOTSUPP
- LP: #1434595
* NFS: struct nfs_commit_info.lock must always point to inode->i_lock
- LP: #1434595
* target: Add missing WRITE_SAME end-of-device sanity check
- LP: #1434595
* target: Check for LBA + sectors wrap-around in sbc_parse_cdb
- LP: #1434595
* Btrfs: fix fsync data loss after adding hard link to inode
- LP: #1434595
* Added Little Endian support to vtpm module
- LP: #1434595
* fixed invalid assignment of 64bit mask to host dma_boundary for scatter
gather segment boundary limit.
- LP: #1434595
* sg: fix read() error reporting
- LP: #1434595
* IB/qib: Do not write EEPROM
- LP: #1434595
* EDAC, amd64_edac: Prevent OOPS with >16 memory controllers
- LP: #1434595
* MIPS: asm: asmmacro: Replace "add" instructions with "addu"
- LP: #1434595
* MIPS: kernel: cps-vec: Replace "addi" with "addiu"
- LP: #1434595
* md/raid5: Fix livelock when array is both resyncing and degraded.
- LP: #1434595
* locking/rtmutex: Avoid a NULL pointer dereference on deadlock
- LP: #1434595
* time: adjtimex: Validate the ADJ_FREQUENCY values
- LP: #1434595
* ntp: Fixup adjtimex freq validation on 32-bit systems
- LP: #1434595
* dm: fix a race condition in dm_get_md
- LP: #1434595
* dm snapshot: fix a possible invalid memory access on unload
- LP: #1434595
* cpufreq: s3c: remove incorrect __init annotations
- LP: #1434595
* x86, mm/ASLR: Fix stack randomization on 64-bit systems
- LP: #1434595
* libceph: assert both regular and lingering lists in __remove_osd()
- LP: #1434595
* libceph: change from BUG to WARN for __remove_osd() asserts
- LP: #1434595
* libceph: fix double __remove_osd() problem
- LP: #1434595
* MIPS: Export FP functions used by lose_fpu(1) for KVM
- LP: #1434595
* MIPS: Export MSA functions used by lose_fpu(1) for KVM
- LP: #1434595
* kdb: fix incorrect counts in KDB summary command output
- LP: #1434595
* blk-throttle: check stats_cpu before reading it from sysfs
- LP: #1434595
* debugfs: leave freeing a symlink body until inode eviction
- LP: #1434595
* procfs: fix race between symlink removals and traversals
- LP: #1434595
* autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for
allocation
- LP: #1434595
* ASoC: mioa701_wm9713: Fix speaker event
- LP: #1434595
* gpio: rcar: Fix error path for devm_kzalloc() failure
- LP: #1434595
* efi: Small leak on error in runtime map code
- LP: #1434595
* clk-gate: fix bit # check in clk_register_gate()
- LP: #1434595
* powerpc/kernel: Avoid memory corruption at early stage
- LP: #1434595
* pinctrl: pinctrl-imx: don't use invalid value of conf_reg
- LP: #1434595
* ALSA: off by one bug in snd_riptide_joystick_probe()
- LP: #1434595
* GFS2: Fix crash during ACL deletion in acl max entry check in
gfs2_set_acl()
- LP: #1434595
* net: llc: use correct size for sysctl timeout entries
- LP: #1434595
* net: rds: use correct size for max unacked packets and bytes
- LP: #1434595
* HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events
- LP: #1434595
* fib_trie: Fix /proc/net/fib_trie when CONFIG_IP_MULTIPLE_TABLES is not
defined
- LP: #1434595
* net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
- LP: #1434595
* gpio: sysfs: fix gpio attribute-creation race
- LP: #1434595
* ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs
- LP: #1434595
* IB/core: When marshaling ucma path from user-space, clear unused fields
- LP: #1434595
* IB/core: Fix deadlock on uverbs modify_qp error flow
- LP: #1434595
* IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach
- LP: #1434595
* IB/iser: Use correct dma direction when unmapping SGs
- LP: #1434595
* [media] Si2168: increase timeout to fix firmware loading
- LP: #1434595
* staging: comedi: cb_pcidas64: fix incorrect AI range code handling
- LP: #1434595
* target: Fix R_HOLDER bit usage for AllRegistrants
- LP: #1434595
* target: Avoid dropping AllRegistrants reservation during unregister
- LP: #1434595
* target: Allow AllRegistrants to re-RESERVE existing reservation
- LP: #1434595
* target: Allow Write Exclusive non-reservation holders to READ
- LP: #1434595
* vhost/scsi: potential memory corruption
- LP: #1434595
* clk: sunxi: Support factor clocks with N factor starting not from 0
- LP: #1434595
* sunxi: clk: Set sun6i-pll1 n_start = 1
- LP: #1434595
* HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid
- LP: #1434595
* mm: softdirty: unmapped addresses between VMAs are clean
- LP: #1434595
* proc/pagemap: walk page tables under pte lock
- LP: #1434595
* ARM: dts: am335x-bone*: usb0 is hardwired for peripheral
- LP: #1434595
* sched/rt: Reduce rq lock contention by eliminating locking of
non-feasible target
- LP: #1434595
* caif: remove wrong dev_net_set() call
- LP: #1434595
* quota: Store maximum space limit in bytes
- LP: #1434595
* Linux 3.16.7-ckt8
- LP: #1434595
* btrfs: label should not contain return char
- LP: #1434528
-- Luis Henriques <luis.henriques@xxxxxxxxxxxxx> Mon, 23 Mar 2015 15:58:49 +0000
** Changed in: linux (Ubuntu Utopic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992
Title:
Kernel oopses on access to address 0x8 when cdc-acm device is inserted
with invalid descriptor.
Status in HWE Next Project:
Fix Released
Status in HWE Next trusty series:
Fix Released
Status in HWE Next utopic series:
Fix Committed
Status in HWE Next vivid series:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Utopic:
Fix Released
Bug description:
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
0000 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.....d.......
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$....$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..............
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .........@......
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_interface_num = buffer[4];~ accesses outside of the
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface_num~)
actually exists. Later ~if
(data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
~data_interface~.
ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551
issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions
References