From: Greg Kroah-Hartman Date: Tue, 19 Apr 2016 05:55:02 +0000 (+0900) Subject: remove usbvision-fix-overflow-of-interfaces-array.patch from 3.14 and 4.4 X-Git-Tag: v3.14.67~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=48f6d158cc74a854613c557f667ac44f3fe56146;p=thirdparty%2Fkernel%2Fstable-queue.git remove usbvision-fix-overflow-of-interfaces-array.patch from 3.14 and 4.4 --- diff --git a/queue-3.14/series b/queue-3.14/series index 9f6fb03f8ae..3a4b04294e8 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -31,7 +31,6 @@ perf-cure-event-pending_disable-race.patch hid-usbhid-fix-inconsistent-reset-resume-reset-resume-behavior.patch revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch 0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch -usbvision-fix-overflow-of-interfaces-array.patch usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch diff --git a/queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch b/queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch index 7f37b5e41bc..e78f93ec447 100644 --- a/queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch +++ b/queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch @@ -22,7 +22,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/drivers/media/usb/usbvision/usbvision-video.c +++ b/drivers/media/usb/usbvision/usbvision-video.c -@@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_in +@@ -1539,9 +1539,23 @@ static int usbvision_probe(struct usb_in if (usbvision_device_data[model].interface >= 0) interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; diff --git a/queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch b/queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch index 32ebdf407a0..ac312119d95 100644 --- a/queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch +++ b/queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch @@ -41,7 +41,7 @@ Signed-off-by: Greg Kroah-Hartman } printk(KERN_INFO "%s: %s found\n", __func__, usbvision_device_data[model].model_string); -@@ -1553,18 +1554,21 @@ static int usbvision_probe(struct usb_in +@@ -1546,18 +1547,21 @@ static int usbvision_probe(struct usb_in __func__, ifnum); dev_err(&intf->dev, "%s: Endpoint attributes %d", __func__, endpoint->bmAttributes); @@ -66,7 +66,7 @@ Signed-off-by: Greg Kroah-Hartman } if (dev->descriptor.bNumConfigurations > 1) -@@ -1583,8 +1587,8 @@ static int usbvision_probe(struct usb_in +@@ -1576,8 +1580,8 @@ static int usbvision_probe(struct usb_in usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL); if (usbvision->alt_max_pkt_size == NULL) { dev_err(&intf->dev, "usbvision: out of memory!\n"); @@ -77,7 +77,7 @@ Signed-off-by: Greg Kroah-Hartman } for (i = 0; i < usbvision->num_alt; i++) { -@@ -1619,6 +1623,12 @@ static int usbvision_probe(struct usb_in +@@ -1612,6 +1616,12 @@ static int usbvision_probe(struct usb_in PDEBUG(DBG_PROBE, "success"); return 0; diff --git a/queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch b/queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch deleted file mode 100644 index 36c1fc209a8..00000000000 --- a/queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001 -From: Oliver Neukum -Date: Tue, 27 Oct 2015 09:51:34 -0200 -Subject: [media] usbvision fix overflow of interfaces array - -From: Oliver Neukum - -commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream. - -This fixes the crash reported in: -http://seclists.org/bugtraq/2015/Oct/35 -The interface number needs a sanity check. - -Signed-off-by: Oliver Neukum -Cc: Vladis Dronov -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/media/usb/usbvision/usbvision-video.c -+++ b/drivers/media/usb/usbvision/usbvision-video.c -@@ -1536,6 +1536,13 @@ static int usbvision_probe(struct usb_in - printk(KERN_INFO "%s: %s found\n", __func__, - usbvision_device_data[model].model_string); - -+ /* -+ * this is a security check. -+ * an exploit using an incorrect bInterfaceNumber is known -+ */ -+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum]) -+ return -ENODEV; -+ - if (usbvision_device_data[model].interface >= 0) - interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; - else diff --git a/queue-4.4/series b/queue-4.4/series index aa8dd4a6650..ae2a644e1a9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -132,6 +132,5 @@ revert-x86-pci-don-t-alloc-pcibios-irq-when-msi-is-enabled.patch revert-pci-add-helpers-to-manage-pci_dev-irq-and-pci_dev-irq_managed.patch revert-pci-x86-implement-pcibios_alloc_irq-and-pcibios_free_irq.patch staging-android-ion-set-the-length-of-the-dma-sg-entries-in-buffer.patch -usbvision-fix-overflow-of-interfaces-array.patch usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch diff --git a/queue-4.4/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch b/queue-4.4/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch index bb143cdf9fe..bf7a3fb5309 100644 --- a/queue-4.4/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch +++ b/queue-4.4/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch @@ -22,7 +22,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/drivers/media/usb/usbvision/usbvision-video.c +++ b/drivers/media/usb/usbvision/usbvision-video.c -@@ -1470,9 +1470,23 @@ static int usbvision_probe(struct usb_in +@@ -1463,9 +1463,23 @@ static int usbvision_probe(struct usb_in if (usbvision_device_data[model].interface >= 0) interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; diff --git a/queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch b/queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch deleted file mode 100644 index 7935320f7e9..00000000000 --- a/queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001 -From: Oliver Neukum -Date: Tue, 27 Oct 2015 09:51:34 -0200 -Subject: [media] usbvision fix overflow of interfaces array - -From: Oliver Neukum - -commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream. - -This fixes the crash reported in: -http://seclists.org/bugtraq/2015/Oct/35 -The interface number needs a sanity check. - -Signed-off-by: Oliver Neukum -Cc: Vladis Dronov -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/media/usb/usbvision/usbvision-video.c -+++ b/drivers/media/usb/usbvision/usbvision-video.c -@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in - printk(KERN_INFO "%s: %s found\n", __func__, - usbvision_device_data[model].model_string); - -+ /* -+ * this is a security check. -+ * an exploit using an incorrect bInterfaceNumber is known -+ */ -+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum]) -+ return -ENODEV; -+ - if (usbvision_device_data[model].interface >= 0) - interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; - else