USB: core: CVE-2017-16535

USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() References: https://nvd.nist.gov/vuln/detail/CVE-2017-16535 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1c0edc3633b56000e18d82fc241e3995ca18a69e https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=9d13d3e05be29056eeab610d9ad26b04c9231a04 Change-Id: Ib86863293579750ddfb84bf62839d33bb5a75626 Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
author: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:37:55 +0100
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-10-30 12:39:34 +0100
commit: e5a7bd1d7d58dcfed990079e8f7377a4df875454 (patch)
tree: 9b2fa2a159e7da6913be34679f2144ada37619e7
parent: 062a0edacf29e234b60d582dd38697793d8efb61 (diff)
download: enea-kernel-cache-e5a7bd1d7d58dcfed990079e8f7377a4df875454.tar.gz
1 files changed, 50 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16535.patch b/patches/cve/CVE-2017-16535.patch
new file mode 100644
index 0000000..19976cc
--- /dev/null
+++ b/patches/cve/CVE-2017-16535.patch
@@ -0,0 +1,50 @@
+From 9d13d3e05be29056eeab610d9ad26b04c9231a04 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 18 Oct 2017 12:49:38 -0400
+Subject: USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
+commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.
+Andrey used the syzkaller fuzzer to find an out-of-bounds memory
+access in usb_get_bos_descriptor().  The code wasn't checking that the
+next usb_dev_cap_header structure could fit into the remaining buffer
+space.
+This patch fixes the error and also reduces the bNumDeviceCaps field
+in the header to match the actual number of capabilities found, in
+cases where there are fewer than expected.
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=9d13d3e05be29056eeab610d9ad26b04c9231a04]
+CVE: CVE-2017-16535
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
+---
+ drivers/usb/core/config.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 11793386b4e9..5008f71fb08d 100644
+--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
+@@ -837,10 +837,12 @@ int usb_get_bos_descriptor(struct usb_device *dev)
+        for (i = 0; i < num; i++) {
+                buffer += length;
+                cap = (struct usb_dev_cap_header *)buffer;
+-               length = cap->bLength;
+ 
+-               if (total_len < length)
+               if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+                       dev->bos->desc->bNumDeviceCaps = i;
+                        break;
+               }
+               length = cap->bLength;
+                total_len -= length;
+ 
+                if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
+-- 
+cgit 1.2-0.3.lf.el7
author	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:37:55 +0100
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-10-30 12:39:34 +0100
commit	e5a7bd1d7d58dcfed990079e8f7377a4df875454 (patch)
tree	9b2fa2a159e7da6913be34679f2144ada37619e7
parent	062a0edacf29e234b60d582dd38697793d8efb61 (diff)
download	enea-kernel-cache-e5a7bd1d7d58dcfed990079e8f7377a4df875454.tar.gz

diff --git a/patches/cve/CVE-2017-16535.patch b/patches/cve/CVE-2017-16535.patch new file mode 100644 index 0000000..19976cc --- /dev/null +++ b/patches/cve/CVE-2017-16535.patch
@@ -0,0 +1,50 @@
	1	From 9d13d3e05be29056eeab610d9ad26b04c9231a04 Mon Sep 17 00:00:00 2001
	2	From: Alan Stern <stern@rowland.harvard.edu>
	3	Date: Wed, 18 Oct 2017 12:49:38 -0400
	4	Subject: USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
	5
	6	commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.
	7
	8	Andrey used the syzkaller fuzzer to find an out-of-bounds memory
	9	access in usb_get_bos_descriptor(). The code wasn't checking that the
	10	next usb_dev_cap_header structure could fit into the remaining buffer
	11	space.
	12
	13	This patch fixes the error and also reduces the bNumDeviceCaps field
	14	in the header to match the actual number of capabilities found, in
	15	cases where there are fewer than expected.
	16
	17	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=9d13d3e05be29056eeab610d9ad26b04c9231a04]
	18	CVE: CVE-2017-16535
	19
	20	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	21	Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
	22	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	24	Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
	25	---
	26	drivers/usb/core/config.c \| 6 ++++--
	27	1 file changed, 4 insertions(+), 2 deletions(-)
	28
	29	diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
	30	index 11793386b4e9..5008f71fb08d 100644
	31	--- a/drivers/usb/core/config.c
	32	+++ b/drivers/usb/core/config.c
	33	@@ -837,10 +837,12 @@ int usb_get_bos_descriptor(struct usb_device *dev)
	34	for (i = 0; i < num; i++) {
	35	buffer += length;
	36	cap = (struct usb_dev_cap_header *)buffer;
	37	- length = cap->bLength;
	38
	39	- if (total_len < length)
	40	+ if (total_len < sizeof(*cap) \|\| total_len < cap->bLength) {
	41	+ dev->bos->desc->bNumDeviceCaps = i;
	42	break;
	43	+ }
	44	+ length = cap->bLength;
	45	total_len -= length;
	46
	47	if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
	48	--
	49	cgit 1.2-0.3.lf.el7
	50