USB: uas: CVE-2017-16530

USB: uas: fix bug in handling of alternate settings References: https://nvd.nist.gov/vuln/detail/CVE-2017-16530 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=786de92b3cb26012d3d0f00ee37adf14527f35c4 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=0078c8c1a6819a8badf212df782e090559055241 Change-Id: Id5cc402241d763ddf08cfba8bcbde97977df114c Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
author: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:27:09 +0100
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:29:28 +0100
commit: 6bced213c9f1888da4eb709102e0d37a1ea7dc20 (patch)
tree: 76e7147dc4e73628cb32b5f5fde08363062683d5
parent: ce752ac00b50afd2a1312d42b855c00f7b4eddc3 (diff)
download: enea-kernel-cache-6bced213c9f1888da4eb709102e0d37a1ea7dc20.tar.gz
1 files changed, 112 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16530.patch b/patches/cve/CVE-2017-16530.patch
new file mode 100644
index 0000000..f4b7788
--- /dev/null
+++ b/patches/cve/CVE-2017-16530.patch
@@ -0,0 +1,112 @@
+From 0078c8c1a6819a8badf212df782e090559055241 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 22 Sep 2017 11:56:49 -0400
+Subject: USB: uas: fix bug in handling of alternate settings
+[ Upstream commit 786de92b3cb26012d3d0f00ee37adf14527f35c4 ]
+The uas driver has a subtle bug in the way it handles alternate
+settings.  The uas_find_uas_alt_setting() routine returns an
+altsetting value (the bAlternateSetting number in the descriptor), but
+uas_use_uas_driver() then treats that value as an index to the
+intf->altsetting array, which it isn't.
+Normally this doesn't cause any problems because the various
+alternate settings have bAlternateSetting values 0, 1, 2, ..., so the
+value is equal to the index in the array.  But this is not guaranteed,
+and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a
+slab-out-of-bounds error by violating this assumption.
+This patch fixes the bug by making uas_find_uas_alt_setting() return a
+pointer to the altsetting entry rather than either the value or the
+index.  Pointers are less subject to misinterpretation.
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=0078c8c1a6819a8badf212df782e090559055241]
+CVE: CVE-2017-16530
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+CC: Oliver Neukum <oneukum@suse.com>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
+---
+ drivers/usb/storage/uas-detect.h | 15 ++++++++-------
+ drivers/usb/storage/uas.c        | 10 +++++-----
+ 2 files changed, 13 insertions(+), 12 deletions(-)
+diff --git a/drivers/usb/storage/uas-detect.h b/drivers/usb/storage/uas-detect.h
+index f58caa9e6a27..a155cd02bce2 100644
+--- a/drivers/usb/storage/uas-detect.h
+++ b/drivers/usb/storage/uas-detect.h
+@@ -9,7 +9,8 @@ static int uas_is_interface(struct usb_host_interface *intf)
+                intf->desc.bInterfaceProtocol == USB_PR_UAS);
+ }
+ 
+-static int uas_find_uas_alt_setting(struct usb_interface *intf)
+static struct usb_host_interface *uas_find_uas_alt_setting(
+               struct usb_interface *intf)
+ {
+        int i;
+ 
+@@ -17,10 +18,10 @@ static int uas_find_uas_alt_setting(struct usb_interface *intf)
+                struct usb_host_interface *alt = &intf->altsetting[i];
+ 
+                if (uas_is_interface(alt))
+-                       return alt->desc.bAlternateSetting;
+                       return alt;
+        }
+ 
+-       return -ENODEV;
+       return NULL;
+ }
+ 
+ static int uas_find_endpoints(struct usb_host_interface *alt,
+@@ -58,14 +59,14 @@ static int uas_use_uas_driver(struct usb_interface *intf,
+        struct usb_device *udev = interface_to_usbdev(intf);
+        struct usb_hcd *hcd = bus_to_hcd(udev->bus);
+        unsigned long flags = id->driver_info;
+-       int r, alt;
+-
+       struct usb_host_interface *alt;
+       int r;
+ 
+        alt = uas_find_uas_alt_setting(intf);
+-       if (alt < 0)
+       if (!alt)
+                return 0;
+ 
+-       r = uas_find_endpoints(&intf->altsetting[alt], eps);
+       r = uas_find_endpoints(alt, eps);
+        if (r < 0)
+                return 0;
+ 
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index 546bb2b1ffc2..f58ae4a84c11 100644
+--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
+@@ -851,14 +851,14 @@ MODULE_DEVICE_TABLE(usb, uas_usb_ids);
+ static int uas_switch_interface(struct usb_device *udev,
+                                struct usb_interface *intf)
+ {
+-       int alt;
+       struct usb_host_interface *alt;
+ 
+        alt = uas_find_uas_alt_setting(intf);
+-       if (alt < 0)
+-               return alt;
+       if (!alt)
+               return -ENODEV;
+ 
+-       return usb_set_interface(udev,
+-                       intf->altsetting[0].desc.bInterfaceNumber, alt);
+       return usb_set_interface(udev, alt->desc.bInterfaceNumber,
+                       alt->desc.bAlternateSetting);
+ }
+ 
+ static int uas_configure_endpoints(struct uas_dev_info *devinfo)
+-- 
+cgit 1.2-0.3.lf.el7
author	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:27:09 +0100
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:29:28 +0100
commit	6bced213c9f1888da4eb709102e0d37a1ea7dc20 (patch)
tree	76e7147dc4e73628cb32b5f5fde08363062683d5
parent	ce752ac00b50afd2a1312d42b855c00f7b4eddc3 (diff)
download	enea-kernel-cache-6bced213c9f1888da4eb709102e0d37a1ea7dc20.tar.gz

diff --git a/patches/cve/CVE-2017-16530.patch b/patches/cve/CVE-2017-16530.patch new file mode 100644 index 0000000..f4b7788 --- /dev/null +++ b/patches/cve/CVE-2017-16530.patch
@@ -0,0 +1,112 @@
	1	From 0078c8c1a6819a8badf212df782e090559055241 Mon Sep 17 00:00:00 2001
	2	From: Alan Stern <stern@rowland.harvard.edu>
	3	Date: Fri, 22 Sep 2017 11:56:49 -0400
	4	Subject: USB: uas: fix bug in handling of alternate settings
	5
	6	[ Upstream commit 786de92b3cb26012d3d0f00ee37adf14527f35c4 ]
	7
	8	The uas driver has a subtle bug in the way it handles alternate
	9	settings. The uas_find_uas_alt_setting() routine returns an
	10	altsetting value (the bAlternateSetting number in the descriptor), but
	11	uas_use_uas_driver() then treats that value as an index to the
	12	intf->altsetting array, which it isn't.
	13
	14	Normally this doesn't cause any problems because the various
	15	alternate settings have bAlternateSetting values 0, 1, 2, ..., so the
	16	value is equal to the index in the array. But this is not guaranteed,
	17	and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a
	18	slab-out-of-bounds error by violating this assumption.
	19
	20	This patch fixes the bug by making uas_find_uas_alt_setting() return a
	21	pointer to the altsetting entry rather than either the value or the
	22	index. Pointers are less subject to misinterpretation.
	23
	24	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=0078c8c1a6819a8badf212df782e090559055241]
	25	CVE: CVE-2017-16530
	26
	27	Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
	28	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	29	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	30	CC: Oliver Neukum <oneukum@suse.com>
	31	CC: <stable@vger.kernel.org>
	32	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	33	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
	34	Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
	35	---
	36	drivers/usb/storage/uas-detect.h \| 15 ++++++++-------
	37	drivers/usb/storage/uas.c \| 10 +++++-----
	38	2 files changed, 13 insertions(+), 12 deletions(-)
	39
	40	diff --git a/drivers/usb/storage/uas-detect.h b/drivers/usb/storage/uas-detect.h
	41	index f58caa9e6a27..a155cd02bce2 100644
	42	--- a/drivers/usb/storage/uas-detect.h
	43	+++ b/drivers/usb/storage/uas-detect.h
	44	@@ -9,7 +9,8 @@ static int uas_is_interface(struct usb_host_interface *intf)
	45	intf->desc.bInterfaceProtocol == USB_PR_UAS);
	46	}
	47
	48	-static int uas_find_uas_alt_setting(struct usb_interface *intf)
	49	+static struct usb_host_interface *uas_find_uas_alt_setting(
	50	+ struct usb_interface *intf)
	51	{
	52	int i;
	53
	54	@@ -17,10 +18,10 @@ static int uas_find_uas_alt_setting(struct usb_interface *intf)
	55	struct usb_host_interface *alt = &intf->altsetting[i];
	56
	57	if (uas_is_interface(alt))
	58	- return alt->desc.bAlternateSetting;
	59	+ return alt;
	60	}
	61
	62	- return -ENODEV;
	63	+ return NULL;
	64	}
	65
	66	static int uas_find_endpoints(struct usb_host_interface *alt,
	67	@@ -58,14 +59,14 @@ static int uas_use_uas_driver(struct usb_interface *intf,
	68	struct usb_device *udev = interface_to_usbdev(intf);
	69	struct usb_hcd *hcd = bus_to_hcd(udev->bus);
	70	unsigned long flags = id->driver_info;
	71	- int r, alt;
	72	-
	73	+ struct usb_host_interface *alt;
	74	+ int r;
	75
	76	alt = uas_find_uas_alt_setting(intf);
	77	- if (alt < 0)
	78	+ if (!alt)
	79	return 0;
	80
	81	- r = uas_find_endpoints(&intf->altsetting[alt], eps);
	82	+ r = uas_find_endpoints(alt, eps);
	83	if (r < 0)
	84	return 0;
	85
	86	diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
	87	index 546bb2b1ffc2..f58ae4a84c11 100644
	88	--- a/drivers/usb/storage/uas.c
	89	+++ b/drivers/usb/storage/uas.c
	90	@@ -851,14 +851,14 @@ MODULE_DEVICE_TABLE(usb, uas_usb_ids);
	91	static int uas_switch_interface(struct usb_device *udev,
	92	struct usb_interface *intf)
	93	{
	94	- int alt;
	95	+ struct usb_host_interface *alt;
	96
	97	alt = uas_find_uas_alt_setting(intf);
	98	- if (alt < 0)
	99	- return alt;
	100	+ if (!alt)
	101	+ return -ENODEV;
	102
	103	- return usb_set_interface(udev,
	104	- intf->altsetting[0].desc.bInterfaceNumber, alt);
	105	+ return usb_set_interface(udev, alt->desc.bInterfaceNumber,
	106	+ alt->desc.bAlternateSetting);
	107	}
	108
	109	static int uas_configure_endpoints(struct uas_dev_info *devinfo)
	110	--
	111	cgit 1.2-0.3.lf.el7
	112