diff options
author | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:37:55 +0100 |
---|---|---|
committer | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:39:34 +0100 |
commit | e5a7bd1d7d58dcfed990079e8f7377a4df875454 (patch) | |
tree | 9b2fa2a159e7da6913be34679f2144ada37619e7 | |
parent | 062a0edacf29e234b60d582dd38697793d8efb61 (diff) | |
download | enea-kernel-cache-e5a7bd1d7d58dcfed990079e8f7377a4df875454.tar.gz |
USB: core: CVE-2017-16535
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-16535
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1c0edc3633b56000e18d82fc241e3995ca18a69e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=9d13d3e05be29056eeab610d9ad26b04c9231a04
Change-Id: Ib86863293579750ddfb84bf62839d33bb5a75626
Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
-rw-r--r-- | patches/cve/CVE-2017-16535.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16535.patch b/patches/cve/CVE-2017-16535.patch new file mode 100644 index 0000000..19976cc --- /dev/null +++ b/patches/cve/CVE-2017-16535.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 9d13d3e05be29056eeab610d9ad26b04c9231a04 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Stern <stern@rowland.harvard.edu> | ||
3 | Date: Wed, 18 Oct 2017 12:49:38 -0400 | ||
4 | Subject: USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() | ||
5 | |||
6 | commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream. | ||
7 | |||
8 | Andrey used the syzkaller fuzzer to find an out-of-bounds memory | ||
9 | access in usb_get_bos_descriptor(). The code wasn't checking that the | ||
10 | next usb_dev_cap_header structure could fit into the remaining buffer | ||
11 | space. | ||
12 | |||
13 | This patch fixes the error and also reduces the bNumDeviceCaps field | ||
14 | in the header to match the actual number of capabilities found, in | ||
15 | cases where there are fewer than expected. | ||
16 | |||
17 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=9d13d3e05be29056eeab610d9ad26b04c9231a04] | ||
18 | CVE: CVE-2017-16535 | ||
19 | |||
20 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | ||
21 | Signed-off-by: Alan Stern <stern@rowland.harvard.edu> | ||
22 | Tested-by: Andrey Konovalov <andreyknvl@google.com> | ||
23 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
24 | Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com> | ||
25 | --- | ||
26 | drivers/usb/core/config.c | 6 ++++-- | ||
27 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
28 | |||
29 | diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c | ||
30 | index 11793386b4e9..5008f71fb08d 100644 | ||
31 | --- a/drivers/usb/core/config.c | ||
32 | +++ b/drivers/usb/core/config.c | ||
33 | @@ -837,10 +837,12 @@ int usb_get_bos_descriptor(struct usb_device *dev) | ||
34 | for (i = 0; i < num; i++) { | ||
35 | buffer += length; | ||
36 | cap = (struct usb_dev_cap_header *)buffer; | ||
37 | - length = cap->bLength; | ||
38 | |||
39 | - if (total_len < length) | ||
40 | + if (total_len < sizeof(*cap) || total_len < cap->bLength) { | ||
41 | + dev->bos->desc->bNumDeviceCaps = i; | ||
42 | break; | ||
43 | + } | ||
44 | + length = cap->bLength; | ||
45 | total_len -= length; | ||
46 | |||
47 | if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { | ||
48 | -- | ||
49 | cgit 1.2-0.3.lf.el7 | ||
50 | |||