From URLs: ---- -4001: Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet. -4002: drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions. -4003: The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet. -4004: The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet. ---- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4001 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4002 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4003 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4004 Affects: <= 4.0.5 (for all CVEs) Reproducible: Always
CVE-2015-4004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4004): The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet. CVE-2015-4003 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4003): The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet. CVE-2015-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4002): drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions. CVE-2015-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4001): Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet.
Fixed in 4.1.