[kernel] r19912 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Mar 11 19:06:39 UTC 2013
Author: dannf
Date: Mon Mar 11 19:06:39 2013
New Revision: 19912
Log:
USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/USB-io_ti-Fix-Null-dereference-in-chase-port.patch
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Sun Mar 10 23:52:58 2013 (r19911)
+++ dists/squeeze-security/linux-2.6/debian/changelog Mon Mar 11 19:06:39 2013 (r19912)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.32-48squeeze2) UNRELEASED; urgency=high
+
+ * USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
+
+ -- dann frazier <dannf at dannf.org> Mon, 11 Mar 2013 08:47:43 +0100
+
linux-2.6 (2.6.32-48squeeze1) stable-security; urgency=high
* ptrace: Fix race condition allowing kernel stack corruption (CVE-2013-0871)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/USB-io_ti-Fix-Null-dereference-in-chase-port.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/USB-io_ti-Fix-Null-dereference-in-chase-port.patch Mon Mar 11 19:06:39 2013 (r19912)
@@ -0,0 +1,98 @@
+commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811
+Author: Wolfgang Frisch <wfpub at roembden.net>
+Date: Thu Jan 17 01:07:02 2013 +0100
+
+ USB: io_ti: Fix NULL dereference in chase_port()
+
+ The tty is NULL when the port is hanging up.
+ chase_port() needs to check for this.
+
+ This patch is intended for stable series.
+ The behavior was observed and tested in Linux 3.2 and 3.7.1.
+
+ Johan Hovold submitted a more elaborate patch for the mainline kernel.
+
+ [ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
+ [ 56.278811] usb 1-1: USB disconnect, device number 3
+ [ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
+ [ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
+ [ 56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
+ [ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
+ [ 56.282085] Oops: 0002 [#1] SMP
+ [ 56.282744] Modules linked in:
+ [ 56.283512] CPU 1
+ [ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
+ [ 56.283512] RIP: 0010:[<ffffffff8144e62a>] [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
+ [ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046
+ [ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
+ [ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
+ [ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
+ [ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
+ [ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
+ [ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
+ [ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
+ [ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ [ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
+ [ 56.283512] Stack:
+ [ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
+ [ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
+ [ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
+ [ 56.283512] Call Trace:
+ [ 56.283512] [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
+ [ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
+ [ 56.283512] [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
+ [ 56.283512] [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
+ [ 56.283512] [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
+ [ 56.283512] [<ffffffff81300171>] ? edge_close+0x64/0x129
+ [ 56.283512] [<ffffffff810612f7>] ? __wake_up+0x35/0x46
+ [ 56.283512] [<ffffffff8106135b>] ? should_resched+0x5/0x23
+ [ 56.283512] [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
+ [ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
+ [ 56.283512] [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
+ [ 56.283512] [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
+ [ 56.283512] [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
+ [ 56.283512] [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
+ [ 56.283512] [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
+ [ 56.283512] [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
+ [ 56.283512] [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
+ [ 56.283512] [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
+ [ 56.283512] [<ffffffff8128b7a3>] ? device_del+0x119/0x167
+ [ 56.283512] [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
+ [ 56.283512] [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
+ [ 56.283512] [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
+ [ 56.283512] [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
+ [ 56.283512] [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
+ [ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
+ [ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
+ [ 56.283512] [<ffffffff810570b4>] ? kthread+0x81/0x89
+ [ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
+ [ 56.283512] [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
+ [ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
+ [ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
+ <f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
+ [ 56.283512] RIP [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
+ [ 56.283512] RSP <ffff88001fa99ab0>
+ [ 56.283512] CR2: 00000000000001c8
+ [ 56.283512] ---[ end trace 49714df27e1679ce ]---
+
+ Signed-off-by: Wolfgang Frisch <wfpub at roembden.net>
+ Cc: Johan Hovold <jhovold at gmail.com>
+ Cc: stable <stable at vger.kernel.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
+index 58184f3..82afc4d 100644
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -530,6 +530,9 @@ static void chase_port(struct edgeport_port *port, unsigned long timeout,
+ wait_queue_t wait;
+ unsigned long flags;
+
++ if (!tty)
++ return;
++
+ if (!timeout)
+ timeout = (HZ * EDGE_CLOSING_WAIT)/100;
+
Added: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Mon Mar 11 19:06:39 2013 (r19912)
@@ -0,0 +1 @@
++ bugfix/all/USB-io_ti-Fix-Null-dereference-in-chase-port.patch
More information about the Kernel-svn-changes
mailing list