CVE-2016-2391: usb: ohci avoid multiple eof timers
CVE-2016-2392: usb: check USB configuration descriptor object
---
...6-2391-usb-ohci-avoid-multiple-eof-timers.patch | 40 ++++++++++++++++++++++
...check-USB-configuration-descriptor-object.patch | 33 ++++++++++++++++++
debian/patches/series | 2 ++
3 files changed, 75 insertions(+)
create mode 100644 debian/patches/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
create mode 100644 debian/patches/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
diff --git a/debian/patches/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch b/debian/patches/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
new file mode 100644
index 0000000..923c5a5
--- /dev/null
+++ b/debian/patches/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
@@ -0,0 +1,40 @@
+From f2575bbcfe89deabe1f8eab306854d35d7418537 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Tue, 16 Feb 2016 15:34:14 +0530
+Subject: [PATCH] usb: ohci avoid multiple eof timers
+
+When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
+state, it creates an eof timer object in 'ohci_bus_start'.
+It does not check if one already exists. This results in memory
+leakage and null dereference issue. Add a check to avoid it.
+
+Reported-by: Zuozhi Fzz <zuozhi.fzz at alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/usb/hcd-ohci.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 7d65818..15f0b44 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -1331,11 +1331,11 @@ static void ohci_frame_boundary(void *opaque)
+ */
+ static int ohci_bus_start(OHCIState *ohci)
+ {
+- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
+- ohci_frame_boundary,
+- ohci);
+-
+- if (ohci->eof_timer == NULL) {
++ if (!ohci->eof_timer) {
++ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
++ ohci_frame_boundary, ohci);
++ }
++ if (!ohci->eof_timer) {
+ trace_usb_ohci_bus_eof_timer_failed(ohci->name);
+ ohci_die(ohci);
+ return 0;
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-2392-check-USB-configuration-descriptor-object.patch b/debian/patches/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
new file mode 100644
index 0000000..6616649
--- /dev/null
+++ b/debian/patches/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
@@ -0,0 +1,33 @@
+From f979659e509e9d6da5cd3d74c459b944e131ce73 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 11 Feb 2016 16:31:20 +0530
+Subject: [PATCH] usb: check USB configuration descriptor object
+
+When processing remote NDIS control message packets, the USB Net
+device emulator checks to see if the USB configuration descriptor
+object is of RNDIS type(2). But it does not check if it is null,
+which leads to a null dereference error. Add check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/usb/dev-network.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
+index 7800cee..8a4ff49 100644
+--- a/hw/usb/dev-network.c
++++ b/hw/usb/dev-network.c
+@@ -653,7 +653,8 @@ typedef struct USBNetState {
+
+ static int is_rndis(USBNetState *s)
+ {
+- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
++ return s->dev.config ?
++ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
+ }
+
+ static int ndis_query(USBNetState *s, uint32_t oid,
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 2d3bceb..42af4cc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -59,3 +59,5 @@ CVE-2015-3209-pcnet-oob.patch
CVE-2015-7504-pcnet-validate-size.patch
CVE-2015-7512-pcnet-rx-buffer-overflow.patch
CVE-2015-7295-virtio-introduce-virtqueue_unmap_sg.patch
+CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
+CVE-2016-2392-check-USB-configuration-descriptor-object.patch
--
2.1.4