USB: CVE-2018-20169

USB: check usb_get_extra_descriptor for proper size

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20169
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7b6e85da8d94948201abb8d576d485892a6a878f

Change-Id: I4676564b2b6d596406e0d3730a43e331a108f7d7
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 108 insertions, 0 deletions

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index a33811b..db984b6 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -16,3 +16,4 @@ patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
 #CVEs fixed in 4.14.88:
 patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
 patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
+patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
diff --git a/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
new file mode 100644
index 0000000..1c1f9b9
--- /dev/null
+++ b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
@@ -0,0 +1,107 @@
+From 7b6e85da8d94948201abb8d576d485892a6a878f Mon Sep 17 00:00:00 2001
+From: Mathias Payer <mathias.payer@nebelwelt.net>
+Date: Wed, 5 Dec 2018 21:19:59 +0100
+Subject: [PATCH] USB: check usb_get_extra_descriptor for proper size
+
+commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
+
+When reading an extra descriptor, we need to properly check the minimum
+and maximum size allowed, to prevent from invalid data being sent by a
+device.
+
+CVE: CVE-2018-20169
+Upstream-Status: Backport
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/usb/core/hub.c    | 2 +-
+ drivers/usb/core/usb.c    | 6 +++---
+ drivers/usb/host/hwa-hc.c | 2 +-
+ include/linux/usb.h       | 4 ++--
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 638dc6f66d70..a073cb5be013 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2231,7 +2231,7 @@ static int usb_enumerate_device_otg(struct usb_device *udev)
+                /* descriptor may appear anywhere in config */
+                err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
+                                le16_to_cpu(udev->config[0].desc.wTotalLength),
+-                               USB_DT_OTG, (void **) &desc);
++                               USB_DT_OTG, (void **) &desc, sizeof(*desc));
+                if (err || !(desc->bmAttributes & USB_OTG_HNP))
+                        return 0;
+ 
+diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
+index f8b50eaf6d1e..7a4e3da549fe 100644
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -833,14 +833,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_number);
+  */
+ 
+ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+-                              unsigned char type, void **ptr)
++                              unsigned char type, void **ptr, size_t minsize)
+ {
+        struct usb_descriptor_header *header;
+ 
+        while (size >= sizeof(struct usb_descriptor_header)) {
+                header = (struct usb_descriptor_header *)buffer;
+ 
+-               if (header->bLength < 2) {
++               if (header->bLength < 2 || header->bLength > size) {
+                        printk(KERN_ERR
+                                "%s: bogus descriptor, type %d length %d\n",
+                                usbcore_name,
+@@ -849,7 +849,7 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+                        return -1;
+                }
+ 
+-               if (header->bDescriptorType == type) {
++               if (header->bDescriptorType == type && header->bLength >= minsize) {
+                        *ptr = header;
+                        return 0;
+                }
+diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
+index da3b18038d23..216069c396a0 100644
+--- a/drivers/usb/host/hwa-hc.c
++++ b/drivers/usb/host/hwa-hc.c
+@@ -654,7 +654,7 @@ static int hwahc_security_create(struct hwahc *hwahc)
+        top = itr + itr_size;
+        result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
+                        le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
+-                       USB_DT_SECURITY, (void **) &secd);
++                       USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
+        if (result == -1) {
+                dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
+                return 0;
+diff --git a/include/linux/usb.h b/include/linux/usb.h
+index 4192a1755ccb..8c7ba40cf021 100644
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -407,11 +407,11 @@ struct usb_host_bos {
+ };
+ 
+ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+-       unsigned char type, void **ptr);
++       unsigned char type, void **ptr, size_t min);
+ #define usb_get_extra_descriptor(ifpoint, type, ptr) \
+                                __usb_get_extra_descriptor((ifpoint)->extra, \
+                                (ifpoint)->extralen, \
+-                               type, (void **)ptr)
++                               type, (void **)ptr, sizeof(**(ptr)))
+ 
+ /* ----------------------------------------------------------------------- */
+ 
+-- 
+2.19.2
+