← Back to team overview

kernel-packages team mailing list archive

[Bug 1460657] Re: possible infinite loop when parsing CDC headers

 

This bug was fixed in the package linux - 3.13.0-57.95

---------------
linux (3.13.0-57.95) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1466592

  [ Brad Figg ]

  * Merged back Ubuntu-3.13.0-55.94 regression fix for security release

linux (3.13.0-56.93) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1465798

  [ Upstream Kernel Changes ]

  * net: eth: xgene: devm_ioremap() returns NULL on error
    - LP: #1458042
  * drivers: net: xgene: fix new firmware backward compatibility with older
    driver
    - LP: #1458042
  * drivers: net: xgene: constify of_device_id array
    - LP: #1458042
  * drivers: net: xgene: Add second SGMII based 1G interface
    - LP: #1458042
  * net: phy: re-design phy_modes to be self-contained
    - LP: #1458042
  * dtb: change binding name to match with newer firmware DT
    - LP: #1458042
  * dtb: xgene: Add second SGMII based 1G interface node
    - LP: #1458042
  * Btrfs: make xattr replace operations atomic
    - LP: #1438501
    - CVE-2014-9710
  * cdc-acm: prevent infinite loop when parsing CDC headers.
    - LP: #1460657
  * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series
    - LP: #1338706, #1449005
  * ahci: avoton port-disable reset-quirk
    - LP: #1458617
  * xfs: avoid false quotacheck after unclean shutdown
    - LP: #1461730
  * (upstream)[SCSI] Add timeout to avoid infinite command retry
    - LP: #1449372
  * (upstream)scsi_lib: remove the description string in
    scsi_io_completion()
    - LP: #1449372
  * udf: Remove repeated loads blocksize
    - LP: #1462173
    - CVE-2015-4167
  * udf: Check length of extended attributes and allocation descriptors
    - LP: #1462173
    - CVE-2015-4167
  * vfs: read file_handle only once in handle_to_path
    - LP: #1416503
    - CVE-2015-1420
  * ozwpan: Use unsigned ints to prevent heap overflow
    - LP: #1463442
    - CVE-2015-4001
  * ozwpan: divide-by-zero leading to panic
    - LP: #1463445
    - CVE-2015-4003
  * ozwpan: Use proper check to prevent heap overflow
    - LP: #1463444
    - CVE-2015-4002
  * ozwpan: unchecked signed subtraction leads to DoS
    - LP: #1463444
    - CVE-2015-4002
  * Input: elantech - add new icbody type
    - LP: #1464490
  * Bluetooth: ath3k: Add support Atheros AR5B195 combo Mini PCIe card
    - LP: #1465796
  * power_supply: twl4030_madc: Check return value of power_supply_register
    - LP: #1465796
  * power_supply: lp8788-charger: Fix leaked power supply on probe fail
    - LP: #1465796
  * ARM: dts: dove: Fix uart[23] reg property
    - LP: #1465796
  * xtensa: xtfpga: fix hardware lockup caused by LCD driver
    - LP: #1465796
  * Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open()
    - LP: #1465796
  * xtensa: provide __NR_sync_file_range2 instead of __NR_sync_file_range
    - LP: #1465796
  * KVM: s390: Zero out current VMDB of STSI before including level3 data.
    - LP: #1465796
  * usb: musb: core: fix TX/RX endpoint order
    - LP: #1465796
  * drm/radeon: fix doublescan modes (v2)
    - LP: #1465796
  * usb: phy: Find the right match in devm_usb_phy_match
    - LP: #1465796
  * tools lib traceevent kbuffer: Remove extra update to data pointer in
    PADDING
    - LP: #1465796
  * ring-buffer: Replace this_cpu_*() with __this_cpu_*()
    - LP: #1465796
  * ASoC: wm8741: Fix rates constraints values
    - LP: #1465796
  * cdc-wdm: fix endianness bug in debug statements
    - LP: #1465796
  * staging: panel: fix lcd type
    - LP: #1465796
  * UBI: account for bitflips in both the VID header and data
    - LP: #1465796
  * UBI: fix out of bounds write
    - LP: #1465796
  * UBI: initialize LEB number variable
    - LP: #1465796
  * UBI: fix check for "too many bytes"
    - LP: #1465796
  * ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts on Cragganmore
    - LP: #1465796
  * ASoC: davinci-evm: drop un-necessary remove function
    - LP: #1465796
  * iscsi-target: Convert iscsi_thread_set usage to kthread.h
    - LP: #1465796
  * Drivers: hv: vmbus: Don't wait after requesting offers
    - LP: #1465796
  * Btrfs: fix log tree corruption when fs mounted with -o discard
    - LP: #1465796
  * btrfs: don't accept bare namespace as a valid xattr
    - LP: #1465796
  * ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE
    - LP: #1465796
  * rtlwifi: rtl8192cu: Add new USB ID
    - LP: #1465796
  * MIPS: Hibernate: flush TLB entries earlier
    - LP: #1465796
  * ASoC: cs4271: Increase delay time after reset
    - LP: #1465796
  * stk1160: Make sure current buffer is released
    - LP: #1465796
  * mnt: Improve the umount_tree flags
    - LP: #1465796
  * ext4: make fsync to sync parent dir in no-journal for real this time
    - LP: #1465796
  * Input: elantech - fix absolute mode setting on some ASUS laptops
    - LP: #1465796
  * usb: define a generic USB_RESUME_TIMEOUT macro
    - LP: #1465796
  * usb: host: xhci: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: ehci: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: uhci: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: musb: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: isp116x: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: fotg210: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: fusbh200: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: oxu210hp: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: r8a66597: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: host: sl811: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: dwc2: hcd: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: isp1760: hcd: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * usb: core: hub: use new USB_RESUME_TIMEOUT
    - LP: #1465796
  * iser-target: Fix possible deadlock in RDMA_CM connection error
    - LP: #1465796
  * gpio: mvebu: Fix mask/unmask managment per irq chip type
    - LP: #1465796
  * scsi: storvsc: Fix a bug in copy_from_bounce_buffer()
    - LP: #1465796
  * ALSA: emu10k1: don't deadlock in proc-functions
    - LP: #1465796
  * xtensa: ISS: fix locking in TAP network adapter
    - LP: #1465796
  * s390/hibernate: fix save and restore of kernel text section
    - LP: #1465796
  * Btrfs: fix inode eviction infinite loop after extent_same ioctl
    - LP: #1465796
  * Btrfs: fix inode eviction infinite loop after cloning into it
    - LP: #1465796
  * ACPICA: Utilities: split IO address types from data type models.
    - LP: #1465796
  * drm/i915: Dont enable CS_PARSER_ERROR interrupts at all
    - LP: #1465796
  * target: Fix COMPARE_AND_WRITE with SG_TO_MEM_NOALLOC handling
    - LP: #1465796
  * mm/hugetlb: use pmd_page() in follow_huge_pmd()
    - LP: #1465796
  * fs/binfmt_elf.c: fix bug in loading of PIE binaries
    - LP: #1465796
  * IB/core: disallow registering 0-sized memory region
    - LP: #1465796
  * IB/core: don't disallow registering region starting at 0x0
    - LP: #1465796
  * ptrace: fix race between ptrace_resume() and wait_task_stopped()
    - LP: #1465796
  * mvsas: fix panic on expander attached SATA devices
    - LP: #1465796
  * drm/i915: cope with large i2c transfers
    - LP: #1465796
  * RCU pathwalk breakage when running into a symlink overmounting
    something
    - LP: #1465796
  * compal-laptop: Check return value of power_supply_register
    - LP: #1465796
  * sched/idle/x86: Restore mwait_idle() to fix boot hangs, to improve
    power savings and to improve performance
    - LP: #1465796
  * nfs: don't call blocking operations while !TASK_RUNNING
    - LP: #1465796
  * nfs: fix high load average due to callback thread sleeping
    - LP: #1465796
  * e1000: add dummy allocator to fix race condition between mtu change and
    netpoll
    - LP: #1465796
  * wl18xx: show rx_frames_per_rates as an array as it really is
    - LP: #1465796
  * lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
    - LP: #1465796
  * driver core: bus: Goto appropriate labels on failure in bus_add_device
    - LP: #1465796
  * C6x: time: Ensure consistency in __init
    - LP: #1465796
  * crypto: omap-aes - Fix support for unequal lengths
    - LP: #1465796
  * jhash: Update jhash_[321]words functions to use correct initval
    - LP: #1465796
  * KVM: use slowpath for cross page cached accesses
    - LP: #1465796
  * powerpc: Fix missing L2 cache size in /sys/devices/system/cpu
    - LP: #1465796
  * NFS: fix BUG() crash in notify_change() with patch to chown_common()
    - LP: #1465796
  * i2c: core: Export bus recovery functions
    - LP: #1465796
  * IB/mlx4: Fix WQE LSO segment calculation
    - LP: #1465796
  * mlx5: wrong page mask if CONFIG_ARCH_DMA_ADDR_T_64BIT enabled for 32Bit
    architectures
    - LP: #1465796
  * skbuff: Do not scrub skb mark within the same name space
    - LP: #1465796
  * firmware/ihex2fw.c: restore missing default in switch statement
    - LP: #1465796
  * memstick: mspro_block: add missing curly braces
    - LP: #1465796
  * tools/power turbostat: Use $(CURDIR) instead of $(PWD) and add support
    for O= option in Makefile
    - LP: #1465796
  * ext4: fix data corruption caused by unwritten and delayed extents
    - LP: #1465796
  * powerpc: Add vr save/restore functions
    - LP: #1465796
  * Linux 3.13.11-ckt21
    - LP: #1465796

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Thu, 18 Jun 2015
18:19:14 +0100

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1460657

Title:
  possible infinite loop when parsing CDC headers

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Utopic:
  Fix Released
Status in linux source package in Vivid:
  Fix Released

Bug description:
  Bug #1413992 's patch introduced a possible infinite loop.

  commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e
  Author: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
  Date:   Tue Apr 14 11:25:43 2015 +0200

      cdc-acm: prevent infinite loop when parsing CDC headers.

      Phil and I found out a problem with commit:

        7e860a6e7aa6 ("cdc-acm: add sanity checks")

      It added some sanity checks to ignore potential garbage in CDC headers but
      also introduced a potential infinite loop.  This can happen at the first
      loop iteration (elength = 0 in that case) if the description isn't a
      DT_CS_INTERFACE or later if 'buffer[0]' is zero.

      It should also be noted that the wrong length was being added to 'buffer'
      in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
      assigned after that check in the loop.

      A specially crafted USB device could be used to trigger this
  infinite loop.

      Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
      Signed-off-by: Phil Turnbull <phil.turnbull@xxxxxxxxxx>
      Signed-off-by: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
      CC: Sergei Shtylyov <sergei.shtylyov@xxxxxxxxxxxxxxxxxx>
      CC: Oliver Neukum <oneukum@xxxxxxx>
      CC: Adam Lee <adam8157@xxxxxxxxx>
      CC: <stable@xxxxxxxxxxxxxxx>
      Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

  ===
  break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions


References