[meta-freescale] [meta-fsl-ppc krogoth][PATCH] kernel: CVE-2015-8816
Sona Sarmadi
sona.sarmadi at enea.com
Fri Nov 25 03:30:46 PST 2016
Fixes USB hub invalid memory access in hub_activate().
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8816
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=a706ac408da4994438d995d2cf4d2f7943086ca4
Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
recipes-kernel/linux/files/CVE-2015-8816.patch | 96 ++++++++++++++++++++++++++
recipes-kernel/linux/linux-qoriq_3.12.bb | 1 +
2 files changed, 97 insertions(+)
create mode 100644 recipes-kernel/linux/files/CVE-2015-8816.patch
diff --git a/recipes-kernel/linux/files/CVE-2015-8816.patch b/recipes-kernel/linux/files/CVE-2015-8816.patch
new file mode 100644
index 0000000..a2bc55b
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2015-8816.patch
@@ -0,0 +1,96 @@
+From a706ac408da4994438d995d2cf4d2f7943086ca4 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern at rowland.harvard.edu>
+Date: Wed, 16 Dec 2015 13:32:38 -0500
+Subject: USB: fix invalid memory access in hub_activate()
+
+commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream.
+
+Commit 8520f38099cc ("USB: change hub initialization sleeps to
+delayed_work") changed the hub_activate() routine to make part of it
+run in a workqueue. However, the commit failed to take a reference to
+the usb_hub structure or to lock the hub interface while doing so. As
+a result, if a hub is plugged in and quickly unplugged before the work
+routine can run, the routine will try to access memory that has been
+deallocated. Or, if the hub is unplugged while the routine is
+running, the memory may be deallocated while it is in active use.
+
+This patch fixes the problem by taking a reference to the usb_hub at
+the start of hub_activate() and releasing it at the end (when the work
+is finished), and by locking the hub interface while the work routine
+is running. It also adds a check at the start of the routine to see
+if the hub has already been disconnected, in which nothing should be
+done.
+
+CVE: CVE-2015-8816
+Upstream-Status: Backport
+
+Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
+Reported-by: Alexandru Cornea <alexandru.cornea at intel.com>
+Tested-by: Alexandru Cornea <alexandru.cornea at intel.com>
+Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work")
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ drivers/usb/core/hub.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index a7de5da..fdcf290 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -114,6 +114,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
+ #define HUB_DEBOUNCE_STABLE 100
+
+ static int usb_reset_and_verify_device(struct usb_device *udev);
++static void hub_release(struct kref *kref);
+
+ static inline char *portspeed(struct usb_hub *hub, int portstatus)
+ {
+@@ -1030,10 +1031,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ unsigned delay;
+
+ /* Continue a partial initialization */
+- if (type == HUB_INIT2)
+- goto init2;
+- if (type == HUB_INIT3)
++ if (type == HUB_INIT2 || type == HUB_INIT3) {
++ device_lock(hub->intfdev);
++
++ /* Was the hub disconnected while we were waiting? */
++ if (hub->disconnected) {
++ device_unlock(hub->intfdev);
++ kref_put(&hub->kref, hub_release);
++ return;
++ }
++ if (type == HUB_INIT2)
++ goto init2;
+ goto init3;
++ }
++ kref_get(&hub->kref);
+
+ /* The superspeed hub except for root hub has to use Hub Depth
+ * value as an offset into the route string to locate the bits
+@@ -1230,6 +1241,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3);
+ schedule_delayed_work(&hub->init_work,
+ msecs_to_jiffies(delay));
++ device_unlock(hub->intfdev);
+ return; /* Continues at init3: below */
+ } else {
+ msleep(delay);
+@@ -1250,6 +1262,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ /* Allow autosuspend if it was suppressed */
+ if (type <= HUB_INIT3)
+ usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
++
++ if (type == HUB_INIT2 || type == HUB_INIT3)
++ device_unlock(hub->intfdev);
++
++ kref_put(&hub->kref, hub_release);
+ }
+
+ /* Implement the continuations for the delays above */
+--
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index e3ba079..a9dee4c 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -7,5 +7,6 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \
file://Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch \
file://CVE-2015-8539.patch \
file://CVE-2015-8767.patch \
+ file://CVE-2015-8816.patch \
"
SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813"
--
1.9.1
More information about the meta-freescale
mailing list