usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect (CVE-2020-15393)
This commit is contained in:
parent
b1721c503c
commit
cf50d019cc
|
@ -1005,6 +1005,8 @@ linux (4.19.131-1) UNRELEASED; urgency=medium
|
|||
- fs/dcache: Include swait.h header
|
||||
- mm: slub: Always flush the delayed empty slubs in flush_all()
|
||||
- tasklet: Fix UP case for tasklet CHAINED state
|
||||
* usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect
|
||||
(CVE-2020-15393)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [rt] Update "net: move xmit_recursion to per-task variable on -RT" to
|
||||
|
|
65
debian/patches/bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
vendored
Normal file
65
debian/patches/bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
vendored
Normal file
|
@ -0,0 +1,65 @@
|
|||
From: Zqiang <qiang.zhang@windriver.com>
|
||||
Date: Fri, 12 Jun 2020 11:52:10 +0800
|
||||
Subject: usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect
|
||||
Origin: https://git.kernel.org/linus/28ebeb8db77035e058a510ce9bd17c2b9a009dba
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15393
|
||||
|
||||
BUG: memory leak
|
||||
unreferenced object 0xffff888055046e00 (size 256):
|
||||
comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
|
||||
hex dump (first 32 bytes):
|
||||
00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....
|
||||
f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......
|
||||
backtrace:
|
||||
[<00000000d121dccf>] kmemleak_alloc_recursive
|
||||
include/linux/kmemleak.h:43 [inline]
|
||||
[<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
|
||||
[<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
|
||||
[<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
|
||||
[<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
|
||||
[<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
|
||||
[<000000005c3c3381>] usbtest_probe+0x286/0x19d0
|
||||
drivers/usb/misc/usbtest.c:2790
|
||||
[<000000001cec6910>] usb_probe_interface+0x2bd/0x870
|
||||
drivers/usb/core/driver.c:361
|
||||
[<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
|
||||
[<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
|
||||
[<000000003ef66004>] __device_attach_driver+0x1b6/0x240
|
||||
drivers/base/dd.c:831
|
||||
[<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
|
||||
[<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
|
||||
[<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
|
||||
[<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
|
||||
[<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
|
||||
[<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
|
||||
drivers/usb/core/message.c:2030
|
||||
[<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
|
||||
[<0000000098ade0f1>] usb_probe_device+0x90/0xd0
|
||||
drivers/usb/core/driver.c:266
|
||||
[<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
|
||||
[<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
|
||||
|
||||
Acked-by: Alan Stern <stern@rowland.harvard.edu>
|
||||
Reported-by: Kyungtae Kim <kt0755@gmail.com>
|
||||
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
|
||||
Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/usb/misc/usbtest.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
|
||||
index 98ada1a3425c..bae88893ee8e 100644
|
||||
--- a/drivers/usb/misc/usbtest.c
|
||||
+++ b/drivers/usb/misc/usbtest.c
|
||||
@@ -2873,6 +2873,7 @@ static void usbtest_disconnect(struct usb_interface *intf)
|
||||
|
||||
usb_set_intfdata(intf, NULL);
|
||||
dev_dbg(&intf->dev, "disconnect\n");
|
||||
+ kfree(dev->buf);
|
||||
kfree(dev);
|
||||
}
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
|
@ -295,5 +295,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
debian/ntfs-mark-it-as-broken.patch
|
||||
bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
|
Loading…
Reference in New Issue