possible infinite loop when parsing CDC headers

Bug #1460657 reported by Adam Lee on 2015-06-01
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Adam Lee
Trusty
High
Adam Lee
Utopic
High
Adam Lee
Vivid
High
Adam Lee

Bug Description

Bug #1413992 's patch introduced a possible infinite loop.

commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e
Author: Quentin Casasnovas <email address hidden>
Date: Tue Apr 14 11:25:43 2015 +0200

    cdc-acm: prevent infinite loop when parsing CDC headers.

    Phil and I found out a problem with commit:

      7e860a6e7aa6 ("cdc-acm: add sanity checks")

    It added some sanity checks to ignore potential garbage in CDC headers but
    also introduced a potential infinite loop. This can happen at the first
    loop iteration (elength = 0 in that case) if the description isn't a
    DT_CS_INTERFACE or later if 'buffer[0]' is zero.

    It should also be noted that the wrong length was being added to 'buffer'
    in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
    assigned after that check in the loop.

    A specially crafted USB device could be used to trigger this infinite loop.

    Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
    Signed-off-by: Phil Turnbull <email address hidden>
    Signed-off-by: Quentin Casasnovas <email address hidden>
    CC: Sergei Shtylyov <email address hidden>
    CC: Oliver Neukum <email address hidden>
    CC: Adam Lee <email address hidden>
    CC: <email address hidden>
    Signed-off-by: Greg Kroah-Hartman <email address hidden>

===
break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e

Adam Lee (adam8157) wrote :

It's already in stable tree now.

Andy Whitcroft (apw) on 2015-06-01
description: updated
tags: added: kernel-bug-break-fix
Andy Whitcroft (apw) on 2015-06-01
Changed in linux (Ubuntu Trusty):
status: New → Confirmed
Changed in linux (Ubuntu Utopic):
status: New → Confirmed
Changed in linux (Ubuntu Vivid):
status: New → Confirmed
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Andy Whitcroft (apw) on 2015-06-04
Changed in linux (Ubuntu Trusty):
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Utopic):
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Vivid):
status: Confirmed → Fix Committed
Adam Lee (adam8157) on 2015-06-05
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
Changed in linux (Ubuntu Utopic):
importance: Undecided → High
Changed in linux (Ubuntu Vivid):
importance: Undecided → High
Changed in linux (Ubuntu Trusty):
assignee: nobody → Adam Lee (adam8157)
Changed in linux (Ubuntu Utopic):
assignee: nobody → Adam Lee (adam8157)
Changed in linux (Ubuntu Vivid):
assignee: nobody → Adam Lee (adam8157)
Launchpad Janitor (janitor) wrote :
Download full text (8.5 KiB)

This bug was fixed in the package linux - 3.19.0-22.22

---------------
linux (3.19.0-22.22) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1465755

  [ Tai Nguyen ]

  * SAUCE: power: reset: Add syscon reboot device node for APM X-Gene
    platform
    - LP: #1463211

  [ Upstream Kernel Changes ]

  * Revert "dm crypt: fix deadlock when async crypto algorithm returns
    -EBUSY"
    - LP: #1465696
  * Bluetooth: ath3k: Add a new ID 0cf3:e006 to ath3k list
    - LP: #1459934
  * cdc-acm: prevent infinite loop when parsing CDC headers.
    - LP: #1460657
  * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series
    - LP: #1338706, #1449005
  * powerpc/powernv: Check image loaded or not before calling flash
    - LP: #1461553
  * ahci: avoton port-disable reset-quirk
    - LP: #1458617
  * Bluetooth: btusb: support public address configuration for ath3012
    - LP: #1459937
  * Bluetooth: btusb: Add setup callback for chip init on USB
    - LP: #1459937
  * Bluetooth: btusb: Add support for QCA ROME chipset family
    - LP: #1459937
  * Bluetooth: btusb: Fix incorrect type in qca_device_info
    - LP: #1459937
  * Bluetooth: btusb: Fix minor whitespace issue in QCA ROME device entries
    - LP: #1459937
  * Bluetooth: btusb: Add support for 0cf3:e007
    - LP: #1459937
  * storvsc: Set the SRB flags correctly when no data transfer is needed
    - LP: #1439780
  * vfs: read file_handle only once in handle_to_path
    - LP: #1416503
    - CVE-2015-1420
  * ozwpan: Use unsigned ints to prevent heap overflow
    - LP: #1463442
    - CVE-2015-4001
  * ozwpan: divide-by-zero leading to panic
    - LP: #1463445
    - CVE-2015-4003
  * ozwpan: Use proper check to prevent heap overflow
    - LP: #1463444
    - CVE-2015-4002
  * ozwpan: unchecked signed subtraction leads to DoS
    - LP: #1463444
    - CVE-2015-4002
  * enclosure: fix WARN_ON removing an adapter in multi-path devices
    - LP: #1415178
  * ASoC: tfa9879: Fix return value check in tfa9879_i2c_probe()
    - LP: #1465696
  * ASoC: samsung: s3c24xx-i2s: Fix return value check in
    s3c24xx_iis_dev_probe()
    - LP: #1465696
  * ASoC: dapm: Enable autodisable on SOC_DAPM_SINGLE_TLV_AUTODISABLE
    - LP: #1465696
  * ASoC: rt5677: add register patch for PLL
    - LP: #1465696
  * btrfs: unlock i_mutex after attempting to delete subvolume during send
    - LP: #1465696
  * ALSA: hda - Fix mute-LED fixed mode
    - LP: #1465696
  * ALSA: hda - Add mute-LED mode control to Thinkpad
    - LP: #1465696
  * arm64: dma-mapping: always clear allocated buffers
    - LP: #1465696
  * ALSA: emu10k1: Fix card shortname string buffer overflow
    - LP: #1465696
  * ALSA: emux: Fix mutex deadlock at unloading
    - LP: #1465696
  * drm/radeon: Use drm_calloc_ab for CS relocs
    - LP: #1465696
  * drm/radeon: adjust pll when audio is not enabled
    - LP: #1465696
  * drm/radeon: add SI DPM quirk for Sapphire R9 270 Dual-X 2G GDDR5
    - LP: #1465696
  * drm/radeon: fix lockup when BOs aren't part of the VM on release
    - LP: #1465696
  * drm/radeon: reset BOs address after clearing it.
    - LP: #1465696
  * drm/radeon: check new address before removing old one
  ...

Read more...

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Adam Lee (adam8157) on 2015-06-19
Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-utopic' to 'verification-done-utopic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty verification-needed-utopic verification-needed-vivid
Adam Lee (adam8157) wrote :

This patch was in stable tree, and we can't reproduce it actually, so just waive the verification.

tags: added: verification-done-trusty verification-done-utopic verification-done-vivid
removed: verification-needed-trusty verification-needed-utopic verification-needed-vivid
Launchpad Janitor (janitor) wrote :
Download full text (20.2 KiB)

This bug was fixed in the package linux - 3.16.0-43.58

---------------
linux (3.16.0-43.58) utopic; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1466792

  [ Brad Figg ]

  * Merged back Ubuntu-3.16.0-41.57 regression fix for security release

linux (3.16.0-42.56) utopic; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1465714

  [ Chris J Arges ]

  * [config] CONFIG_IPMI_POWERNV=m on ppc64el
    - LP: #1439562

  [ Luis Henriques ]

  * [Config] Disable CONFIG_USB_OTG
    - LP: #1411295

  [ Upstream Kernel Changes ]

  * Revert "i2c: Mark adapter devices with pm_runtime_no_callbacks"
    - LP: #1465613
  * Revert "mm/hugetlb: use pmd_page() in follow_huge_pmd()"
    - LP: #1465613
  * cdc-acm: prevent infinite loop when parsing CDC headers.
    - LP: #1460657
  * drivers/char/ipmi: Add powernv IPMI driver
    - LP: #1439562
  * powerpc/powernv: Add OPAL IPMI interface
    - LP: #1439562
  * powerpc/powernv: Support OPAL requested heartbeat
    - LP: #1439562
  * powerpc/kernel: Make syscall_exit a local label
    - LP: #1439562
  * powerpc: Remove old compile time disabled syscall tracing code
    - LP: #1439562
  * powerpc/powernv: Remove "opal" prefix from pr_xxx()s
    - LP: #1439562
  * powerpc/powernv: Separate function for OPAL IRQ setup
    - LP: #1439562
  * powerpc/powernv: Add OPAL message notifier unregister function
    - LP: #1439562
  * device: Add dev_of_node() accessor
    - LP: #1439562
  * drivers/core/of: Add symlink to device-tree from devices with an OF
    node
    - LP: #1439562
  * powerpc: Add a proper syscall for switching endianness
    - LP: #1439562
  * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series
    - LP: #1338706, #1449005
  * ahci: avoton port-disable reset-quirk
    - LP: #1458617
  * udf: Remove repeated loads blocksize
    - LP: #1462173
    - CVE-2015-4167
  * udf: Check length of extended attributes and allocation descriptors
    - LP: #1462173
    - CVE-2015-4167
  * (upstream)scsi_lib: remove the description string in
    scsi_io_completion()
    - LP: #1449372
  * vfs: read file_handle only once in handle_to_path
    - LP: #1416503
    - CVE-2015-1420
  * ozwpan: Use unsigned ints to prevent heap overflow
    - LP: #1463442
    - CVE-2015-4001
  * ozwpan: divide-by-zero leading to panic
    - LP: #1463445
    - CVE-2015-4003
  * ozwpan: Use proper check to prevent heap overflow
    - LP: #1463444
    - CVE-2015-4002
  * ozwpan: unchecked signed subtraction leads to DoS
    - LP: #1463444
    - CVE-2015-4002
  * net: eth: xgene: devm_ioremap() returns NULL on error
    - LP: #1458042
  * drivers: net: xgene: fix new firmware backward compatibility with older
    driver
    - LP: #1458042
  * drivers: net: xgene: constify of_device_id array
    - LP: #1458042
  * drivers: net: xgene: Add second SGMII based 1G interface
    - LP: #1458042
  * dtb: change binding name to match with newer firmware DT
    - LP: #1458042
  * dtb: xgene: Add second SGMII based 1G interface node
    - LP: #1458042
  * mlx4: Fix tx ring affinity_mask creation
    - LP: #1465613
  * net/mlx4_en: Schedule napi when RX buffers allocation fails
    - LP: #1465613
...

Changed in linux (Ubuntu Utopic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (9.2 KiB)

This bug was fixed in the package linux - 3.13.0-57.95

---------------
linux (3.13.0-57.95) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1466592

  [ Brad Figg ]

  * Merged back Ubuntu-3.13.0-55.94 regression fix for security release

linux (3.13.0-56.93) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1465798

  [ Upstream Kernel Changes ]

  * net: eth: xgene: devm_ioremap() returns NULL on error
    - LP: #1458042
  * drivers: net: xgene: fix new firmware backward compatibility with older
    driver
    - LP: #1458042
  * drivers: net: xgene: constify of_device_id array
    - LP: #1458042
  * drivers: net: xgene: Add second SGMII based 1G interface
    - LP: #1458042
  * net: phy: re-design phy_modes to be self-contained
    - LP: #1458042
  * dtb: change binding name to match with newer firmware DT
    - LP: #1458042
  * dtb: xgene: Add second SGMII based 1G interface node
    - LP: #1458042
  * Btrfs: make xattr replace operations atomic
    - LP: #1438501
    - CVE-2014-9710
  * cdc-acm: prevent infinite loop when parsing CDC headers.
    - LP: #1460657
  * (upstream) libata: Blacklist queued TRIM on all Samsung 800-series
    - LP: #1338706, #1449005
  * ahci: avoton port-disable reset-quirk
    - LP: #1458617
  * xfs: avoid false quotacheck after unclean shutdown
    - LP: #1461730
  * (upstream)[SCSI] Add timeout to avoid infinite command retry
    - LP: #1449372
  * (upstream)scsi_lib: remove the description string in
    scsi_io_completion()
    - LP: #1449372
  * udf: Remove repeated loads blocksize
    - LP: #1462173
    - CVE-2015-4167
  * udf: Check length of extended attributes and allocation descriptors
    - LP: #1462173
    - CVE-2015-4167
  * vfs: read file_handle only once in handle_to_path
    - LP: #1416503
    - CVE-2015-1420
  * ozwpan: Use unsigned ints to prevent heap overflow
    - LP: #1463442
    - CVE-2015-4001
  * ozwpan: divide-by-zero leading to panic
    - LP: #1463445
    - CVE-2015-4003
  * ozwpan: Use proper check to prevent heap overflow
    - LP: #1463444
    - CVE-2015-4002
  * ozwpan: unchecked signed subtraction leads to DoS
    - LP: #1463444
    - CVE-2015-4002
  * Input: elantech - add new icbody type
    - LP: #1464490
  * Bluetooth: ath3k: Add support Atheros AR5B195 combo Mini PCIe card
    - LP: #1465796
  * power_supply: twl4030_madc: Check return value of power_supply_register
    - LP: #1465796
  * power_supply: lp8788-charger: Fix leaked power supply on probe fail
    - LP: #1465796
  * ARM: dts: dove: Fix uart[23] reg property
    - LP: #1465796
  * xtensa: xtfpga: fix hardware lockup caused by LCD driver
    - LP: #1465796
  * Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open()
    - LP: #1465796
  * xtensa: provide __NR_sync_file_range2 instead of __NR_sync_file_range
    - LP: #1465796
  * KVM: s390: Zero out current VMDB of STSI before including level3 data.
    - LP: #1465796
  * usb: musb: core: fix TX/RX endpoint order
    - LP: #1465796
  * drm/radeon: fix doublescan modes (v2)
    - LP: #1465796
  * usb: phy: Find the right match in devm_usb_phy_match
    - LP: #1465796
  * tools lib traceevent kbuffer: Rem...

Read more...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Andy Whitcroft (apw) on 2015-07-23
tags: removed: kernel-bug-break-fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers