1 files changed, 38 insertions, 0 deletions

diff --git a/freed-ora/current/f24/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch b/freed-ora/current/f24/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
new file mode 100644
index 000000000..7de890e1b
--- /dev/null
+++ b/freed-ora/current/f24/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
@@ -0,0 +1,38 @@
+From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 10:02:51 -0400
+Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
+ descriptors
+
+The powermate driver expects at least one valid USB endpoint in its
+probe function.  If given malicious descriptors that specify 0 for
+the number of endpoints, it will crash.  Validate the number of
+endpoints on the interface before using them.
+
+The full report for this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/85
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/input/misc/powermate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
+index 63b539d3daba..84909a12ff36 100644
+--- a/drivers/input/misc/powermate.c
++++ b/drivers/input/misc/powermate.c
+@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
+ 	int error = -ENOMEM;
+ 
+ 	interface = intf->cur_altsetting;
++	if (interface->desc.bNumEndpoints < 1)
++		return -EINVAL;
++
+ 	endpoint = &interface->endpoint[0].desc;
+ 	if (!usb_endpoint_is_int_in(endpoint))
+ 		return -EIO;
+-- 
+2.5.0
+