diff options
| author | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:44:57 +0100 |
|---|---|---|
| committer | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:46:01 +0100 |
| commit | ab9c8d0c68d267c71d21a7d0996c9fa264844325 (patch) | |
| tree | 4f06951f96ebf01ed4ebe22b49ab5e39f1fd2e2a | |
| parent | 2c42279f9525e846bc2fc0f326f32b8f7d48c8ea (diff) | |
| download | enea-kernel-cache-qoriq-4.1.tar.gz | |
input: CVE-2017-16645qoriq-4.1
Input: ims-psu - check if CDC union descriptor is sane
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-16645
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea04efee7635c9120d015dcdeeeb6988130cb67a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=84513107dc8602c675ec871b616128b49c6e259e
Change-Id: Iab16548726e55b3621e5c8ae6be0ea487bb3064f
Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
| -rw-r--r-- | patches/cve/CVE-2017-16645.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16645.patch b/patches/cve/CVE-2017-16645.patch new file mode 100644 index 0000000..96992e7 --- /dev/null +++ b/patches/cve/CVE-2017-16645.patch | |||
| @@ -0,0 +1,59 @@ | |||
| 1 | From 84513107dc8602c675ec871b616128b49c6e259e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Dmitry Torokhov <dmitry.torokhov@gmail.com> | ||
| 3 | Date: Sat, 7 Oct 2017 11:07:47 -0700 | ||
| 4 | Subject: Input: ims-psu - check if CDC union descriptor is sane | ||
| 5 | |||
| 6 | [ Upstream commit ea04efee7635c9120d015dcdeeeb6988130cb67a ] | ||
| 7 | |||
| 8 | Before trying to use CDC union descriptor, try to validate whether that it | ||
| 9 | is sane by checking that intf->altsetting->extra is big enough and that | ||
| 10 | descriptor bLength is not too big and not too small. | ||
| 11 | |||
| 12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/input/misc/ims-pcu.c?h=linux-4.1.y&id=84513107dc8602c675ec871b616128b49c6e259e] | ||
| 13 | CVE: CVE-2017-16645 | ||
| 14 | |||
| 15 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | ||
| 16 | Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> | ||
| 17 | Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | ||
| 18 | Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com> | ||
| 19 | --- | ||
| 20 | drivers/input/misc/ims-pcu.c | 16 ++++++++++++++-- | ||
| 21 | 1 file changed, 14 insertions(+), 2 deletions(-) | ||
| 22 | |||
| 23 | (limited to 'drivers/input/misc/ims-pcu.c') | ||
| 24 | |||
| 25 | diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c | ||
| 26 | index f4e8fbec6a94..b5304e264881 100644 | ||
| 27 | --- a/drivers/input/misc/ims-pcu.c | ||
| 28 | +++ b/drivers/input/misc/ims-pcu.c | ||
| 29 | @@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf) | ||
| 30 | return NULL; | ||
| 31 | } | ||
| 32 | |||
| 33 | - while (buflen > 0) { | ||
| 34 | + while (buflen >= sizeof(*union_desc)) { | ||
| 35 | union_desc = (struct usb_cdc_union_desc *)buf; | ||
| 36 | |||
| 37 | + if (union_desc->bLength > buflen) { | ||
| 38 | + dev_err(&intf->dev, "Too large descriptor\n"); | ||
| 39 | + return NULL; | ||
| 40 | + } | ||
| 41 | + | ||
| 42 | if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE && | ||
| 43 | union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) { | ||
| 44 | dev_dbg(&intf->dev, "Found union header\n"); | ||
| 45 | - return union_desc; | ||
| 46 | + | ||
| 47 | + if (union_desc->bLength >= sizeof(*union_desc)) | ||
| 48 | + return union_desc; | ||
| 49 | + | ||
| 50 | + dev_err(&intf->dev, | ||
| 51 | + "Union descriptor to short (%d vs %zd\n)", | ||
| 52 | + union_desc->bLength, sizeof(*union_desc)); | ||
| 53 | + return NULL; | ||
| 54 | } | ||
| 55 | |||
| 56 | buflen -= union_desc->bLength; | ||
| 57 | -- | ||
| 58 | cgit 1.2-0.3.lf.el7 | ||
| 59 | |||