← Back to team overview

kernel-packages team mailing list archive

[Bug 1460657] Re: possible infinite loop when parsing CDC headers

 

This bug was fixed in the package linux - 3.19.0-22.22

---------------
linux (3.19.0-22.22) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1465755

  [ Tai Nguyen ]

  * SAUCE: power: reset: Add syscon reboot device node for APM X-Gene
    platform
    - LP: #1463211

  [ Upstream Kernel Changes ]

  * Revert "dm crypt: fix deadlock when async crypto algorithm returns
    -EBUSY"
    - LP: #1465696
  * Bluetooth: ath3k: Add a new ID 0cf3:e006 to ath3k list
    - LP: #1459934
  * cdc-acm: prevent infinite loop when parsing CDC headers.
    - LP: #1460657
  * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series
    - LP: #1338706, #1449005
  * powerpc/powernv: Check image loaded or not before calling flash
    - LP: #1461553
  * ahci: avoton port-disable reset-quirk
    - LP: #1458617
  * Bluetooth: btusb: support public address configuration for ath3012
    - LP: #1459937
  * Bluetooth: btusb: Add setup callback for chip init on USB
    - LP: #1459937
  * Bluetooth: btusb: Add support for QCA ROME chipset family
    - LP: #1459937
  * Bluetooth: btusb: Fix incorrect type in qca_device_info
    - LP: #1459937
  * Bluetooth: btusb: Fix minor whitespace issue in QCA ROME device entries
    - LP: #1459937
  * Bluetooth: btusb: Add support for 0cf3:e007
    - LP: #1459937
  * storvsc: Set the SRB flags correctly when no data transfer is needed
    - LP: #1439780
  * vfs: read file_handle only once in handle_to_path
    - LP: #1416503
    - CVE-2015-1420
  * ozwpan: Use unsigned ints to prevent heap overflow
    - LP: #1463442
    - CVE-2015-4001
  * ozwpan: divide-by-zero leading to panic
    - LP: #1463445
    - CVE-2015-4003
  * ozwpan: Use proper check to prevent heap overflow
    - LP: #1463444
    - CVE-2015-4002
  * ozwpan: unchecked signed subtraction leads to DoS
    - LP: #1463444
    - CVE-2015-4002
  * enclosure: fix WARN_ON removing an adapter in multi-path devices
    - LP: #1415178
  * ASoC: tfa9879: Fix return value check in tfa9879_i2c_probe()
    - LP: #1465696
  * ASoC: samsung: s3c24xx-i2s: Fix return value check in
    s3c24xx_iis_dev_probe()
    - LP: #1465696
  * ASoC: dapm: Enable autodisable on SOC_DAPM_SINGLE_TLV_AUTODISABLE
    - LP: #1465696
  * ASoC: rt5677: add register patch for PLL
    - LP: #1465696
  * btrfs: unlock i_mutex after attempting to delete subvolume during send
    - LP: #1465696
  * ALSA: hda - Fix mute-LED fixed mode
    - LP: #1465696
  * ALSA: hda - Add mute-LED mode control to Thinkpad
    - LP: #1465696
  * arm64: dma-mapping: always clear allocated buffers
    - LP: #1465696
  * ALSA: emu10k1: Fix card shortname string buffer overflow
    - LP: #1465696
  * ALSA: emux: Fix mutex deadlock at unloading
    - LP: #1465696
  * drm/radeon: Use drm_calloc_ab for CS relocs
    - LP: #1465696
  * drm/radeon: adjust pll when audio is not enabled
    - LP: #1465696
  * drm/radeon: add SI DPM quirk for Sapphire R9 270 Dual-X 2G GDDR5
    - LP: #1465696
  * drm/radeon: fix lockup when BOs aren't part of the VM on release
    - LP: #1465696
  * drm/radeon: reset BOs address after clearing it.
    - LP: #1465696
  * drm/radeon: check new address before removing old one
    - LP: #1465696
  * SCSI: add 1024 max sectors black list flag
    - LP: #1465696
  * 3w-sas: fix command completion race
    - LP: #1465696
  * 3w-xxxx: fix command completion race
    - LP: #1465696
  * 3w-9xxx: fix command completion race
    - LP: #1465696
  * uas: Allow uas_use_uas_driver to return usb-storage flags
    - LP: #1465696
  * uas: Add US_FL_MAX_SECTORS_240 flag
    - LP: #1465696
  * uas: Set max_sectors_240 quirk for ASM1053 devices
    - LP: #1465696
  * usb: chipidea: otg: remove mutex unlock and lock while stop and start
    role
    - LP: #1465696
  * serial: xilinx: Use platform_get_irq to get irq description structure
    - LP: #1465696
  * serial: of-serial: Remove device_type = "serial" registration
    - LP: #1465696
  * tty/serial: at91: maxburst was missing for dma transfers
    - LP: #1465696
  * ALSA: emux: Fix mutex deadlock in OSS emulation
    - LP: #1465696
  * ACPI / SBS: Enable battery manager when present
    - LP: #1465696
  * ALSA: emu10k1: Emu10k2 32 bit DMA mode
    - LP: #1465696
  * ASoC: rt5677: fixed wrong DMIC ref clock
    - LP: #1465696
  * rbd: end I/O the entire obj_request on error
    - LP: #1465696
  * ext4: fix data corruption caused by unwritten and delayed extents
    - LP: #1465696
  * ext4: move check under lock scope to close a race.
    - LP: #1465696
  * powerpc/pseries: Correct cpu affinity for dlpar added cpus
    - LP: #1465696
  * powerpc/powernv: Restore non-volatile CRs after nap
    - LP: #1465696
  * efivarfs: Ensure VariableName is NUL-terminated
    - LP: #1465696
  * x86/efi: Store upper bits of command line buffer address in
    ext_cmd_line_ptr
    - LP: #1465696
  * blk-mq: fix race between timeout and CPU hotplug
    - LP: #1465696
  * blk-mq: fix CPU hotplug handling
    - LP: #1465696
  * writeback: use |1 instead of +1 to protect against div by zero
    - LP: #1465696
  * ARM: mvebu: armada-xp-openblocks-ax3-4: Disable internal RTC
    - LP: #1465696
  * ARM: dts: imx23-olinuxino: Fix polarity of LED GPIO
    - LP: #1465696
  * ARM: dts: imx23-olinuxino: Fix dr_mode of usb0
    - LP: #1465696
  * ARM: dts: imx6: phyFLEX: USB VBUS control is active-high
    - LP: #1465696
  * ARM: dts: imx25: Add #pwm-cells to pwm4
    - LP: #1465696
  * ARM: dts: imx28: Fix AUART4 TX-DMA interrupt name
    - LP: #1465696
  * marvell-ccic: fix Y'CbCr ordering
    - LP: #1465696
  * gpio: sysfs: fix memory leaks and device hotplug
    - LP: #1465696
  * ACPI / SBS: Add 5 us delay to fix SBS hangs on MacBook
    - LP: #1465696
  * ACPI / PNP: add two IDs to list for PNPACPI device enumeration
    - LP: #1465696
  * ARM: OMAP2+: Fix omap off idle power consumption creeping up
    - LP: #1465696
  * ARM: dts: OMAP3-N900: Add microphone bias voltages
    - LP: #1465696
  * drm/radeon: disable semaphores for UVD V1 (v2)
    - LP: #1465696
  * x86/spinlocks: Fix regression in spinlock contention detection
    - LP: #1465696
  * RDMA/CMA: Canonize IPv4 on IPV6 sockets properly
    - LP: #1465696
  * drm/i915: Assume dual channel LVDS if pixel clock necessitates it
    - LP: #1465696
  * drm/i915: Add missing MacBook Pro models with dual channel LVDS
    - LP: #1465696
  * efi: Fix error handling in add_sysfs_runtime_map_entry()
    - LP: #1465696
  * xen/events: Clear cpu_evtchn_mask before resuming
    - LP: #1465696
  * xen/xenbus: Update xenbus event channel on resume
    - LP: #1465696
  * xen/console: Update console event channel on resume
    - LP: #1465696
  * xen/events: Set irq_info->evtchn before binding the channel to CPU in
    __startup_pirq()
    - LP: #1465696
  * mm/memory-failure: call shake_page() when error hits thp tail page
    - LP: #1465696
  * mm: soft-offline: fix num_poisoned_pages counting on concurrent events
    - LP: #1465696
  * nilfs2: fix sanity check of btree level in nilfs_btree_root_broken()
    - LP: #1465696
  * ocfs2: dlm: fix race between purge and get lock resource
    - LP: #1465696
  * drm/i915/dp: there is no audio on port A
    - LP: #1465696
  * drm/amdkfd: allow unregister process with queues
    - LP: #1465696
  * drm/radeon: fix userptr BO unpin bug v3
    - LP: #1465696
  * drm/radeon: make VCE handle check more strict
    - LP: #1465696
  * drm/radeon: make UVD handle checking more strict
    - LP: #1465696
  * drm/radeon: more strictly validate the UVD codec
    - LP: #1465696
  * path_openat(): fix double fput()
    - LP: #1465696
  * mnt: Fix fs_fully_visible to verify the root directory is visible
    - LP: #1465696
  * drm: Zero out invalid vblank timestamp in drm_update_vblank_count.
    - LP: #1465696
  * ARM: ux500: Move GPIO regulator for SD-card into board DTSs
    - LP: #1465696
  * ARM: ux500: Enable GPIO regulator for SD-card for HREF boards
    - LP: #1465696
  * ARM: ux500: Enable GPIO regulator for SD-card for snowball
    - LP: #1465696
  * xen-pciback: Add name prefix to global 'permissive' variable
    - LP: #1465696
  * mmc: core: add missing pm event in mmc_pm_notify to fix hib restore
    - LP: #1465696
  * ARM: dts: am57xx-beagle-x15: Fix IRQ type for mcp7941x
    - LP: #1465696
  * mmc: sh_mmcif: Fix timeout value for command request
    - LP: #1465696
  * pinctrl: Don't just pretend to protect pinctrl_maps, do it for real
    - LP: #1465696
  * arm64: add missing PAGE_ALIGN() to __dma_free()
    - LP: #1465696
  * Linux 3.19.8-ckt1
    - LP: #1465696

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Tue, 16 Jun 2015 09:21:59 -0700

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1420

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-4001

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-4002

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-4003

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1460657

Title:
  possible infinite loop when parsing CDC headers

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Utopic:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed

Bug description:
  Bug #1413992 's patch introduced a possible infinite loop.

  commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e
  Author: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
  Date:   Tue Apr 14 11:25:43 2015 +0200

      cdc-acm: prevent infinite loop when parsing CDC headers.

      Phil and I found out a problem with commit:

        7e860a6e7aa6 ("cdc-acm: add sanity checks")

      It added some sanity checks to ignore potential garbage in CDC headers but
      also introduced a potential infinite loop.  This can happen at the first
      loop iteration (elength = 0 in that case) if the description isn't a
      DT_CS_INTERFACE or later if 'buffer[0]' is zero.

      It should also be noted that the wrong length was being added to 'buffer'
      in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
      assigned after that check in the loop.

      A specially crafted USB device could be used to trigger this
  infinite loop.

      Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
      Signed-off-by: Phil Turnbull <phil.turnbull@xxxxxxxxxx>
      Signed-off-by: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
      CC: Sergei Shtylyov <sergei.shtylyov@xxxxxxxxxxxxxxxxxx>
      CC: Oliver Neukum <oneukum@xxxxxxx>
      CC: Adam Lee <adam8157@xxxxxxxxx>
      CC: <stable@xxxxxxxxxxxxxxx>
      Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

  ===
  break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions


References