diff options
author | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:27:09 +0100 |
---|---|---|
committer | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:29:28 +0100 |
commit | 6bced213c9f1888da4eb709102e0d37a1ea7dc20 (patch) | |
tree | 76e7147dc4e73628cb32b5f5fde08363062683d5 | |
parent | ce752ac00b50afd2a1312d42b855c00f7b4eddc3 (diff) | |
download | enea-kernel-cache-6bced213c9f1888da4eb709102e0d37a1ea7dc20.tar.gz |
USB: uas: CVE-2017-16530
USB: uas: fix bug in handling of alternate settings
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-16530
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=786de92b3cb26012d3d0f00ee37adf14527f35c4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=0078c8c1a6819a8badf212df782e090559055241
Change-Id: Id5cc402241d763ddf08cfba8bcbde97977df114c
Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
-rw-r--r-- | patches/cve/CVE-2017-16530.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16530.patch b/patches/cve/CVE-2017-16530.patch new file mode 100644 index 0000000..f4b7788 --- /dev/null +++ b/patches/cve/CVE-2017-16530.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From 0078c8c1a6819a8badf212df782e090559055241 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Stern <stern@rowland.harvard.edu> | ||
3 | Date: Fri, 22 Sep 2017 11:56:49 -0400 | ||
4 | Subject: USB: uas: fix bug in handling of alternate settings | ||
5 | |||
6 | [ Upstream commit 786de92b3cb26012d3d0f00ee37adf14527f35c4 ] | ||
7 | |||
8 | The uas driver has a subtle bug in the way it handles alternate | ||
9 | settings. The uas_find_uas_alt_setting() routine returns an | ||
10 | altsetting value (the bAlternateSetting number in the descriptor), but | ||
11 | uas_use_uas_driver() then treats that value as an index to the | ||
12 | intf->altsetting array, which it isn't. | ||
13 | |||
14 | Normally this doesn't cause any problems because the various | ||
15 | alternate settings have bAlternateSetting values 0, 1, 2, ..., so the | ||
16 | value is equal to the index in the array. But this is not guaranteed, | ||
17 | and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a | ||
18 | slab-out-of-bounds error by violating this assumption. | ||
19 | |||
20 | This patch fixes the bug by making uas_find_uas_alt_setting() return a | ||
21 | pointer to the altsetting entry rather than either the value or the | ||
22 | index. Pointers are less subject to misinterpretation. | ||
23 | |||
24 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=0078c8c1a6819a8badf212df782e090559055241] | ||
25 | CVE: CVE-2017-16530 | ||
26 | |||
27 | Signed-off-by: Alan Stern <stern@rowland.harvard.edu> | ||
28 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | ||
29 | Tested-by: Andrey Konovalov <andreyknvl@google.com> | ||
30 | CC: Oliver Neukum <oneukum@suse.com> | ||
31 | CC: <stable@vger.kernel.org> | ||
32 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
33 | Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | ||
34 | Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com> | ||
35 | --- | ||
36 | drivers/usb/storage/uas-detect.h | 15 ++++++++------- | ||
37 | drivers/usb/storage/uas.c | 10 +++++----- | ||
38 | 2 files changed, 13 insertions(+), 12 deletions(-) | ||
39 | |||
40 | diff --git a/drivers/usb/storage/uas-detect.h b/drivers/usb/storage/uas-detect.h | ||
41 | index f58caa9e6a27..a155cd02bce2 100644 | ||
42 | --- a/drivers/usb/storage/uas-detect.h | ||
43 | +++ b/drivers/usb/storage/uas-detect.h | ||
44 | @@ -9,7 +9,8 @@ static int uas_is_interface(struct usb_host_interface *intf) | ||
45 | intf->desc.bInterfaceProtocol == USB_PR_UAS); | ||
46 | } | ||
47 | |||
48 | -static int uas_find_uas_alt_setting(struct usb_interface *intf) | ||
49 | +static struct usb_host_interface *uas_find_uas_alt_setting( | ||
50 | + struct usb_interface *intf) | ||
51 | { | ||
52 | int i; | ||
53 | |||
54 | @@ -17,10 +18,10 @@ static int uas_find_uas_alt_setting(struct usb_interface *intf) | ||
55 | struct usb_host_interface *alt = &intf->altsetting[i]; | ||
56 | |||
57 | if (uas_is_interface(alt)) | ||
58 | - return alt->desc.bAlternateSetting; | ||
59 | + return alt; | ||
60 | } | ||
61 | |||
62 | - return -ENODEV; | ||
63 | + return NULL; | ||
64 | } | ||
65 | |||
66 | static int uas_find_endpoints(struct usb_host_interface *alt, | ||
67 | @@ -58,14 +59,14 @@ static int uas_use_uas_driver(struct usb_interface *intf, | ||
68 | struct usb_device *udev = interface_to_usbdev(intf); | ||
69 | struct usb_hcd *hcd = bus_to_hcd(udev->bus); | ||
70 | unsigned long flags = id->driver_info; | ||
71 | - int r, alt; | ||
72 | - | ||
73 | + struct usb_host_interface *alt; | ||
74 | + int r; | ||
75 | |||
76 | alt = uas_find_uas_alt_setting(intf); | ||
77 | - if (alt < 0) | ||
78 | + if (!alt) | ||
79 | return 0; | ||
80 | |||
81 | - r = uas_find_endpoints(&intf->altsetting[alt], eps); | ||
82 | + r = uas_find_endpoints(alt, eps); | ||
83 | if (r < 0) | ||
84 | return 0; | ||
85 | |||
86 | diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c | ||
87 | index 546bb2b1ffc2..f58ae4a84c11 100644 | ||
88 | --- a/drivers/usb/storage/uas.c | ||
89 | +++ b/drivers/usb/storage/uas.c | ||
90 | @@ -851,14 +851,14 @@ MODULE_DEVICE_TABLE(usb, uas_usb_ids); | ||
91 | static int uas_switch_interface(struct usb_device *udev, | ||
92 | struct usb_interface *intf) | ||
93 | { | ||
94 | - int alt; | ||
95 | + struct usb_host_interface *alt; | ||
96 | |||
97 | alt = uas_find_uas_alt_setting(intf); | ||
98 | - if (alt < 0) | ||
99 | - return alt; | ||
100 | + if (!alt) | ||
101 | + return -ENODEV; | ||
102 | |||
103 | - return usb_set_interface(udev, | ||
104 | - intf->altsetting[0].desc.bInterfaceNumber, alt); | ||
105 | + return usb_set_interface(udev, alt->desc.bInterfaceNumber, | ||
106 | + alt->desc.bAlternateSetting); | ||
107 | } | ||
108 | |||
109 | static int uas_configure_endpoints(struct uas_dev_info *devinfo) | ||
110 | -- | ||
111 | cgit 1.2-0.3.lf.el7 | ||
112 | |||