+++ /dev/null
-From 889c172b1e097eceefc5d9d3639c3862c98c6753 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
-Date: Wed, 20 Apr 2016 11:15:11 +0100
-Subject: [PATCH 1/2] cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-usbnet_link_change will call schedule_work and should be
-avoided if bind is failing. Otherwise we will end up with
-scheduled work referring to a netdev which has gone away.
-
-Instead of making the call conditional, we can just defer
-it to usbnet_probe, using the driver_info flag made for
-this purpose.
-
-Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
-Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Bjørn Mork <bjorn@mork.no>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-(cherry picked from commit 4d06dd537f95683aba3651098ae288b7cbff8274)
-CVE-2016-3951
-BugLink: https://bugs.launchpad.net/bugs/1567191
-Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
-Signed-off-by: Kamal Mostafa <kamal@canonical.com>
----
- drivers/net/usb/cdc_ncm.c | 20 +++++---------------
- 1 file changed, 5 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
-index e8a1144..93c88a2 100644
---- a/drivers/net/usb/cdc_ncm.c
-+++ b/drivers/net/usb/cdc_ncm.c
-@@ -941,8 +941,6 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting);
-
- static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- {
-- int ret;
--
- /* MBIM backwards compatible function? */
- if (cdc_ncm_select_altsetting(intf) != CDC_NCM_COMM_ALTSETTING_NCM)
- return -ENODEV;
-@@ -951,16 +949,7 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- * Additionally, generic NCM devices are assumed to accept arbitrarily
- * placed NDP.
- */
-- ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
--
-- /*
-- * We should get an event when network connection is "connected" or
-- * "disconnected". Set network connection in "disconnected" state
-- * (carrier is OFF) during attach, so the IP network stack does not
-- * start IPv6 negotiation and more.
-- */
-- usbnet_link_change(dev, 0, 0);
-- return ret;
-+ return cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
- }
-
- static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
-@@ -1543,7 +1532,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
-
- static const struct driver_info cdc_ncm_info = {
- .description = "CDC NCM",
-- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
-+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-+ | FLAG_LINK_INTR,
- .bind = cdc_ncm_bind,
- .unbind = cdc_ncm_unbind,
- .manage_power = usbnet_manage_power,
-@@ -1556,7 +1546,7 @@ static const struct driver_info cdc_ncm_info = {
- static const struct driver_info wwan_info = {
- .description = "Mobile Broadband Network Device",
- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-- | FLAG_WWAN,
-+ | FLAG_LINK_INTR | FLAG_WWAN,
- .bind = cdc_ncm_bind,
- .unbind = cdc_ncm_unbind,
- .manage_power = usbnet_manage_power,
-@@ -1569,7 +1559,7 @@ static const struct driver_info wwan_info = {
- static const struct driver_info wwan_noarp_info = {
- .description = "Mobile Broadband Network Device (NO ARP)",
- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-- | FLAG_WWAN | FLAG_NOARP,
-+ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
- .bind = cdc_ncm_bind,
- .unbind = cdc_ncm_unbind,
- .manage_power = usbnet_manage_power,
---
-2.1.4
-
-From ac6b36fbfad65378b81338637254f0d23b35e2a1 Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Wed, 20 Apr 2016 11:15:12 +0100
-Subject: [PATCH 2/2] usbnet: cleanup after bind() in probe()
-
-In case bind() works, but a later error forces bailing
-in probe() in error cases work and a timer may be scheduled.
-They must be killed. This fixes an error case related to
-the double free reported in
-http://www.spinics.net/lists/netdev/msg367669.html
-and needs to go on top of Linus' fix to cdc-ncm.
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
-CVE-2016-3951
-BugLink: https://bugs.launchpad.net/bugs/1567191
-Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
-Signed-off-by: Kamal Mostafa <kamal@canonical.com>
----
- drivers/net/usb/usbnet.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
-index 0744bf2..c2ea4e5 100644
---- a/drivers/net/usb/usbnet.c
-+++ b/drivers/net/usb/usbnet.c
-@@ -1766,6 +1766,13 @@ out3:
- if (info->unbind)
- info->unbind (dev, udev);
- out1:
-+ /* subdrivers must undo all they did in bind() if they
-+ * fail it, but we may fail later and a deferred kevent
-+ * may trigger an error resubmitting itself and, worse,
-+ * schedule a timer. So we kill it all just in case.
-+ */
-+ cancel_work_sync(&dev->kevent);
-+ del_timer_sync(&dev->delay);
- free_netdev(net);
- out:
- return status;
---
-2.1.4
-
+++ /dev/null
-From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001
-From: Ignat Korchagin <ignat.korchagin@gmail.com>
-Date: Thu, 17 Mar 2016 18:00:29 +0000
-Subject: USB: usbip: fix potential out-of-bounds write
-
-Fix potential out-of-bounds write to urb->transfer_buffer
-usbip handles network communication directly in the kernel. When receiving a
-packet from its peer, usbip code parses headers according to protocol. As
-part of this parsing urb->actual_length is filled. Since the input for
-urb->actual_length comes from the network, it should be treated as untrusted.
-Any entity controlling the network may put any value in the input and the
-preallocated urb->transfer_buffer may not be large enough to hold the data.
-Thus, the malicious entity is able to write arbitrary data to kernel memory.
-
-Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/usbip/usbip_common.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
-index facaaf0..e40da77 100644
---- a/drivers/usb/usbip/usbip_common.c
-+++ b/drivers/usb/usbip/usbip_common.c
-@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb)
- if (!(size > 0))
- return 0;
-
-+ if (size > urb->transfer_buffer_length) {
-+ /* should not happen, probably malicious packet */
-+ if (ud->side == USBIP_STUB) {
-+ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
-+ return 0;
-+ } else {
-+ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
-+ return -EPIPE;
-+ }
-+ }
-+
- ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
- if (ret != size) {
- dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);
---
-cgit v0.12
-
projects / pve-kernel-jessie.git / commitdiff