[meta-freescale] [meta-fsl-ppc krogoth][PATCH] kernel: CVE-2015-8816

Sona Sarmadi sona.sarmadi at enea.com
Fri Nov 25 03:30:46 PST 2016 

Fixes USB hub invalid memory access in hub_activate().

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8816

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=a706ac408da4994438d995d2cf4d2f7943086ca4

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 recipes-kernel/linux/files/CVE-2015-8816.patch | 96 ++++++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb       |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 recipes-kernel/linux/files/CVE-2015-8816.patch

diff --git a/recipes-kernel/linux/files/CVE-2015-8816.patch b/recipes-kernel/linux/files/CVE-2015-8816.patch
new file mode 100644
index 0000000..a2bc55b
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2015-8816.patch
@@ -0,0 +1,96 @@
+From a706ac408da4994438d995d2cf4d2f7943086ca4 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern at rowland.harvard.edu>
+Date: Wed, 16 Dec 2015 13:32:38 -0500
+Subject: USB: fix invalid memory access in hub_activate()
+
+commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream.
+
+Commit 8520f38099cc ("USB: change hub initialization sleeps to
+delayed_work") changed the hub_activate() routine to make part of it
+run in a workqueue.  However, the commit failed to take a reference to
+the usb_hub structure or to lock the hub interface while doing so.  As
+a result, if a hub is plugged in and quickly unplugged before the work
+routine can run, the routine will try to access memory that has been
+deallocated.  Or, if the hub is unplugged while the routine is
+running, the memory may be deallocated while it is in active use.
+
+This patch fixes the problem by taking a reference to the usb_hub at
+the start of hub_activate() and releasing it at the end (when the work
+is finished), and by locking the hub interface while the work routine
+is running.  It also adds a check at the start of the routine to see
+if the hub has already been disconnected, in which nothing should be
+done.
+
+CVE: CVE-2015-8816
+Upstream-Status: Backport
+
+Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
+Reported-by: Alexandru Cornea <alexandru.cornea at intel.com>
+Tested-by: Alexandru Cornea <alexandru.cornea at intel.com>
+Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work")
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ drivers/usb/core/hub.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index a7de5da..fdcf290 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -114,6 +114,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
+ #define HUB_DEBOUNCE_STABLE	 100
+ 
+ static int usb_reset_and_verify_device(struct usb_device *udev);
++static void hub_release(struct kref *kref);
+ 
+ static inline char *portspeed(struct usb_hub *hub, int portstatus)
+ {
+@@ -1030,10 +1031,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ 	unsigned delay;
+ 
+ 	/* Continue a partial initialization */
+-	if (type == HUB_INIT2)
+-		goto init2;
+-	if (type == HUB_INIT3)
++	if (type == HUB_INIT2 || type == HUB_INIT3) {
++		device_lock(hub->intfdev);
++
++		/* Was the hub disconnected while we were waiting? */
++		if (hub->disconnected) {
++			device_unlock(hub->intfdev);
++			kref_put(&hub->kref, hub_release);
++			return;
++		}
++		if (type == HUB_INIT2)
++			goto init2;
+ 		goto init3;
++	}
++	kref_get(&hub->kref);
+ 
+ 	/* The superspeed hub except for root hub has to use Hub Depth
+ 	 * value as an offset into the route string to locate the bits
+@@ -1230,6 +1241,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ 			PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3);
+ 			schedule_delayed_work(&hub->init_work,
+ 					msecs_to_jiffies(delay));
++			device_unlock(hub->intfdev);
+ 			return;		/* Continues at init3: below */
+ 		} else {
+ 			msleep(delay);
+@@ -1250,6 +1262,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ 	/* Allow autosuspend if it was suppressed */
+ 	if (type <= HUB_INIT3)
+ 		usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
++
++	if (type == HUB_INIT2 || type == HUB_INIT3)
++		device_unlock(hub->intfdev);
++
++	kref_put(&hub->kref, hub_release);
+ }
+ 
+ /* Implement the continuations for the delays above */
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index e3ba079..a9dee4c 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -7,5 +7,6 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \
     file://Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch \
     file://CVE-2015-8539.patch \
     file://CVE-2015-8767.patch \
+    file://CVE-2015-8816.patch \
 "
 SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813"
-- 
1.9.1

More information about the meta-freescale mailing list