Re: Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

[Vladis Dronov <vdronov@redhat.com>]

>> If you, or anyone else, feels it should not be added to the stable tree,
>> please let <stable@vger.kernel.org> know about it.

please, do not add 588afcc1. reasons: see upstream commit:

commit d5468d7afaa9c9e961e150f0455a14a9f4872a98
[media] usbvision: revert commit 588afcc1

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer


----- Original Message -----
From: gregkh@linuxfoundation.org
To: oneukum@suse.com, gregkh@linuxfoundation.org, "hans verkuil" <hans.verkuil@cisco.com>, mchehab@osg.samsung.com, moritz@wikimedia.org, vdronov@redhat.com
Cc: stable@vger.kernel.org, stable-commits@vger.kernel.org
Sent: Saturday, June 4, 2016 9:43:20 PM
Subject: Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

This is a note to let you know that I've just added the patch titled

    [media] usbvision fix overflow of interfaces array

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usbvision-fix-overflow-of-interfaces-array.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.

>From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 27 Oct 2015 09:51:34 -0200
Subject: [media] usbvision fix overflow of interfaces array

From: Oliver Neukum <oneukum@suse.com>

commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.

This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Moritz Muehlenhoff <moritz@wikimedia.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbvision/usbvision-video.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in
 	printk(KERN_INFO "%s: %s found\n", __func__,
 				usbvision_device_data[model].model_string);
 
+	/*
+	 * this is a security check.
+	 * an exploit using an incorrect bInterfaceNumber is known
+	 */
+	if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+		return -ENODEV;
+
 	if (usbvision_device_data[model].interface >= 0)
 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
 	else if (ifnum < dev->actconfig->desc.bNumInterfaces)


Patches currently in stable-queue which might be from oneukum@suse.com are

queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch