diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 14:27:31 +0100 |
|---|---|---|
| committer | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 14:27:31 +0100 |
| commit | 3851aabaf12dcc3e2d913ad581d584259dbef32c (patch) | |
| tree | bc9bba7e9db95d9fdac344ccac407bce07b58854 | |
| parent | 141a35ca52ecfadd1ef997d94f5acae8c8081780 (diff) | |
| download | enea-kernel-cache-3851aabaf12dcc3e2d913ad581d584259dbef32c.tar.gz | |
USB: CVE-2018-19985
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=49be8dc589aee04c64d61e362c5029ab20fd6fd7
Change-Id: I26c1c763c075d8719ac4bff276d8b1785ae46ad8
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.14.x.scc | 2 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch | 74 |
2 files changed, 76 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index db984b6..36143b1 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
| @@ -17,3 +17,5 @@ patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch | |||
| 17 | patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch | 17 | patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch |
| 18 | patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch | 18 | patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch |
| 19 | patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch | 19 | patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch |
| 20 | CVEs fixed in 4.14.91: | ||
| 21 | patch CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch | ||
diff --git a/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch new file mode 100644 index 0000000..9d81696 --- /dev/null +++ b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | From 49be8dc589aee04c64d61e362c5029ab20fd6fd7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hui Peng <benquike@gmail.com> | ||
| 3 | Date: Wed, 12 Dec 2018 12:42:24 +0100 | ||
| 4 | Subject: [PATCH] USB: hso: Fix OOB memory access in | ||
| 5 | hso_probe/hso_get_config_data | ||
| 6 | |||
| 7 | commit 5146f95df782b0ac61abde36567e718692725c89 upstream. | ||
| 8 | |||
| 9 | The function hso_probe reads if_num from the USB device (as an u8) and uses | ||
| 10 | it without a length check to index an array, resulting in an OOB memory read | ||
| 11 | in hso_probe or hso_get_config_data. | ||
| 12 | |||
| 13 | Add a length check for both locations and updated hso_probe to bail on | ||
| 14 | error. | ||
| 15 | |||
| 16 | This issue has been assigned CVE-2018-19985. | ||
| 17 | |||
| 18 | CVE: CVE-2018-19985 | ||
| 19 | Upstream-Status: Backport | ||
| 20 | |||
| 21 | Reported-by: Hui Peng <benquike@gmail.com> | ||
| 22 | Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> | ||
| 23 | Signed-off-by: Hui Peng <benquike@gmail.com> | ||
| 24 | Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> | ||
| 25 | Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> | ||
| 26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 27 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 29 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 30 | --- | ||
| 31 | drivers/net/usb/hso.c | 18 ++++++++++++++++-- | ||
| 32 | 1 file changed, 16 insertions(+), 2 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c | ||
| 35 | index d7a3379ea668..18a0952f68a8 100644 | ||
| 36 | --- a/drivers/net/usb/hso.c | ||
| 37 | +++ b/drivers/net/usb/hso.c | ||
| 38 | @@ -2806,6 +2806,12 @@ static int hso_get_config_data(struct usb_interface *interface) | ||
| 39 | return -EIO; | ||
| 40 | } | ||
| 41 | |||
| 42 | + /* check if we have a valid interface */ | ||
| 43 | + if (if_num > 16) { | ||
| 44 | + kfree(config_data); | ||
| 45 | + return -EINVAL; | ||
| 46 | + } | ||
| 47 | + | ||
| 48 | switch (config_data[if_num]) { | ||
| 49 | case 0x0: | ||
| 50 | result = 0; | ||
| 51 | @@ -2876,10 +2882,18 @@ static int hso_probe(struct usb_interface *interface, | ||
| 52 | |||
| 53 | /* Get the interface/port specification from either driver_info or from | ||
| 54 | * the device itself */ | ||
| 55 | - if (id->driver_info) | ||
| 56 | + if (id->driver_info) { | ||
| 57 | + /* if_num is controlled by the device, driver_info is a 0 terminated | ||
| 58 | + * array. Make sure, the access is in bounds! */ | ||
| 59 | + for (i = 0; i <= if_num; ++i) | ||
| 60 | + if (((u32 *)(id->driver_info))[i] == 0) | ||
| 61 | + goto exit; | ||
| 62 | port_spec = ((u32 *)(id->driver_info))[if_num]; | ||
| 63 | - else | ||
| 64 | + } else { | ||
| 65 | port_spec = hso_get_config_data(interface); | ||
| 66 | + if (port_spec < 0) | ||
| 67 | + goto exit; | ||
| 68 | + } | ||
| 69 | |||
| 70 | /* Check if we need to switch to alt interfaces prior to port | ||
| 71 | * configuration */ | ||
| 72 | -- | ||
| 73 | 2.19.2 | ||
| 74 | |||