USB: CVE-2017-16531

USB: fix out-of-bounds in usb_set_configuration References: https://nvd.nist.gov/vuln/detail/CVE-2017-16531 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=de5ffcc63dbdaffffd93934003fd527673f4da0a Change-Id: I04f538f1ee61459772eb21f85764ed76a82fb342 Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
author: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:30:26 +0100
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:32:15 +0100
commit: 2a790eef3b2f6607ef5e8b1c041ba5f77717e41c (patch)
tree: 0bc53620af940066300a27a95c64b883c413a0f5
parent: 6bced213c9f1888da4eb709102e0d37a1ea7dc20 (diff)
download: enea-kernel-cache-2a790eef3b2f6607ef5e8b1c041ba5f77717e41c.tar.gz
1 files changed, 77 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16531.patch b/patches/cve/CVE-2017-16531.patch
new file mode 100644
index 0000000..bc8d2c5
--- /dev/null
+++ b/patches/cve/CVE-2017-16531.patch
@@ -0,0 +1,77 @@
+From de5ffcc63dbdaffffd93934003fd527673f4da0a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 19 Sep 2017 15:07:17 +0200
+Subject: USB: fix out-of-bounds in usb_set_configuration
+[ Upstream commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb ]
+Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
+association descriptor.  He writes:
+        It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
+        descriptor. It's only checked that the size is >= 2 in
+        usb_parse_configuration(), so find_iad() might do out-of-bounds access
+        to intf_assoc->bInterfaceCount.
+And he's right, we don't check for crazy descriptors of this type very well, so
+resolve this problem.  Yet another issue found by syzkaller...
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=de5ffcc63dbdaffffd93934003fd527673f4da0a]
+CVE: CVE-2017-16531
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
+---
+ drivers/usb/core/config.c    | 14 +++++++++++---
+ include/uapi/linux/usb/ch9.h |  1 +
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index b48fac6e4b40..510e7158b502 100644
+--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
+@@ -528,15 +528,23 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+ 
+                } else if (header->bDescriptorType ==
+                                USB_DT_INTERFACE_ASSOCIATION) {
+                       struct usb_interface_assoc_descriptor *d;
+
+                       d = (struct usb_interface_assoc_descriptor *)header;
+                       if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
+                               dev_warn(ddev,
+                                        "config %d has an invalid interface association descriptor of length %d, skipping\n",
+                                        cfgno, d->bLength);
+                               continue;
+                       }
+
+                        if (iad_num == USB_MAXIADS) {
+                                dev_warn(ddev, "found more Interface "
+                                               "Association Descriptors "
+                                               "than allocated for in "
+                                               "configuration %d\n", cfgno);
+                        } else {
+-                               config->intf_assoc[iad_num] =
+-                                       (struct usb_interface_assoc_descriptor
+-                                       *)header;
+                               config->intf_assoc[iad_num] = d;
+                                iad_num++;
+                        }
+ 
+diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h
+index aa33fd1b2d4f..400196c45b3c 100644
+--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
+@@ -705,6 +705,7 @@ struct usb_interface_assoc_descriptor {
+        __u8  iFunction;
+ } __attribute__ ((packed));
+ 
+#define USB_DT_INTERFACE_ASSOCIATION_SIZE      8
+ 
+ /*-------------------------------------------------------------------------*/
+ 
+-- 
+cgit 1.2-0.3.lf.el7
author	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:30:26 +0100
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:32:15 +0100
commit	2a790eef3b2f6607ef5e8b1c041ba5f77717e41c (patch)
tree	0bc53620af940066300a27a95c64b883c413a0f5
parent	6bced213c9f1888da4eb709102e0d37a1ea7dc20 (diff)
download	enea-kernel-cache-2a790eef3b2f6607ef5e8b1c041ba5f77717e41c.tar.gz

diff --git a/patches/cve/CVE-2017-16531.patch b/patches/cve/CVE-2017-16531.patch new file mode 100644 index 0000000..bc8d2c5 --- /dev/null +++ b/patches/cve/CVE-2017-16531.patch
@@ -0,0 +1,77 @@
	1	From de5ffcc63dbdaffffd93934003fd527673f4da0a Mon Sep 17 00:00:00 2001
	2	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	3	Date: Tue, 19 Sep 2017 15:07:17 +0200
	4	Subject: USB: fix out-of-bounds in usb_set_configuration
	5
	6	[ Upstream commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb ]
	7
	8	Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
	9	association descriptor. He writes:
	10	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	11	descriptor. It's only checked that the size is >= 2 in
	12	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	13	to intf_assoc->bInterfaceCount.
	14
	15	And he's right, we don't check for crazy descriptors of this type very well, so
	16	resolve this problem. Yet another issue found by syzkaller...
	17
	18	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=de5ffcc63dbdaffffd93934003fd527673f4da0a]
	19	CVE: CVE-2017-16531
	20
	21	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	22	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	23	Cc: stable <stable@vger.kernel.org>
	24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	25	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
	26	Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
	27	---
	28	drivers/usb/core/config.c \| 14 +++++++++++---
	29	include/uapi/linux/usb/ch9.h \| 1 +
	30	2 files changed, 12 insertions(+), 3 deletions(-)
	31
	32	diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
	33	index b48fac6e4b40..510e7158b502 100644
	34	--- a/drivers/usb/core/config.c
	35	+++ b/drivers/usb/core/config.c
	36	@@ -528,15 +528,23 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
	37
	38	} else if (header->bDescriptorType ==
	39	USB_DT_INTERFACE_ASSOCIATION) {
	40	+ struct usb_interface_assoc_descriptor *d;
	41	+
	42	+ d = (struct usb_interface_assoc_descriptor *)header;
	43	+ if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
	44	+ dev_warn(ddev,
	45	+ "config %d has an invalid interface association descriptor of length %d, skipping\n",
	46	+ cfgno, d->bLength);
	47	+ continue;
	48	+ }
	49	+
	50	if (iad_num == USB_MAXIADS) {
	51	dev_warn(ddev, "found more Interface "
	52	"Association Descriptors "
	53	"than allocated for in "
	54	"configuration %d\n", cfgno);
	55	} else {
	56	- config->intf_assoc[iad_num] =
	57	- (struct usb_interface_assoc_descriptor
	58	- *)header;
	59	+ config->intf_assoc[iad_num] = d;
	60	iad_num++;
	61	}
	62
	63	diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h
	64	index aa33fd1b2d4f..400196c45b3c 100644
	65	--- a/include/uapi/linux/usb/ch9.h
	66	+++ b/include/uapi/linux/usb/ch9.h
	67	@@ -705,6 +705,7 @@ struct usb_interface_assoc_descriptor {
	68	__u8 iFunction;
	69	} __attribute__ ((packed));
	70
	71	+#define USB_DT_INTERFACE_ASSOCIATION_SIZE 8
	72
	73	/-------------------------------------------------------------------------/
	74
	75	--
	76	cgit 1.2-0.3.lf.el7
	77