From 38b8a3439be1727edbc3360c1ca0281da020a44d Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 16 Feb 2016 16:18:55 +0100 Subject: [PATCH] Fix CVE-2016-2391: usb: ohci avoid multiple eof timers --- ...6-2391-usb-ohci-avoid-multiple-eof-timers.patch | 40 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 41 insertions(+) create mode 100644 debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch diff --git a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch new file mode 100644 index 0000000..923c5a5 --- /dev/null +++ b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch @@ -0,0 +1,40 @@ +From f2575bbcfe89deabe1f8eab306854d35d7418537 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 16 Feb 2016 15:34:14 +0530 +Subject: [PATCH] usb: ohci avoid multiple eof timers + +When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL +state, it creates an eof timer object in 'ohci_bus_start'. +It does not check if one already exists. This results in memory +leakage and null dereference issue. Add a check to avoid it. + +Reported-by: Zuozhi Fzz +Signed-off-by: Prasad J Pandit +--- + hw/usb/hcd-ohci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 7d65818..15f0b44 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -1331,11 +1331,11 @@ static void ohci_frame_boundary(void *opaque) + */ + static int ohci_bus_start(OHCIState *ohci) + { +- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, +- ohci_frame_boundary, +- ohci); +- +- if (ohci->eof_timer == NULL) { ++ if (!ohci->eof_timer) { ++ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ++ ohci_frame_boundary, ohci); ++ } ++ if (!ohci->eof_timer) { + trace_usb_ohci_bus_eof_timer_failed(ohci->name); + ohci_die(ohci); + return 0; +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index e109baa..47b2b01 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -51,3 +51,4 @@ extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch extra/CVE-2016-2197-ahci-null-pointer.patch extra/CVE-2016-2198-ehci-null-pointer.patch +extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch -- 2.11.4.GIT