2 files changed, 76 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index db984b6..36143b1 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -17,3 +17,5 @@ patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
 patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
 patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
 patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
+CVEs fixed in 4.14.91:
+patch CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
diff --git a/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
new file mode 100644
index 0000000..9d81696
--- /dev/null
+++ b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
@@ -0,0 +1,74 @@
+From 49be8dc589aee04c64d61e362c5029ab20fd6fd7 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Wed, 12 Dec 2018 12:42:24 +0100
+Subject: [PATCH] USB: hso: Fix OOB memory access in
+ hso_probe/hso_get_config_data
+commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
+The function hso_probe reads if_num from the USB device (as an u8) and uses
+it without a length check to index an array, resulting in an OOB memory read
+in hso_probe or hso_get_config_data.
+Add a length check for both locations and updated hso_probe to bail on
+error.
+This issue has been assigned CVE-2018-19985.
+CVE: CVE-2018-19985
+Upstream-Status: Backport
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/net/usb/hso.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index d7a3379ea668..18a0952f68a8 100644
+--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
+@@ -2806,6 +2806,12 @@ static int hso_get_config_data(struct usb_interface *interface)
+                return -EIO;
+        }
+ 
+       /* check if we have a valid interface */
+       if (if_num > 16) {
+               kfree(config_data);
+               return -EINVAL;
+       }
+
+        switch (config_data[if_num]) {
+        case 0x0:
+                result = 0;
+@@ -2876,10 +2882,18 @@ static int hso_probe(struct usb_interface *interface,
+ 
+        /* Get the interface/port specification from either driver_info or from
+         * the device itself */
+-       if (id->driver_info)
+       if (id->driver_info) {
+               /* if_num is controlled by the device, driver_info is a 0 terminated
+                * array. Make sure, the access is in bounds! */
+               for (i = 0; i <= if_num; ++i)
+                       if (((u32 *)(id->driver_info))[i] == 0)
+                               goto exit;
+                port_spec = ((u32 *)(id->driver_info))[if_num];
+-       else
+       } else {
+                port_spec = hso_get_config_data(interface);
+               if (port_spec < 0)
+                       goto exit;
+       }
+ 
+        /* Check if we need to switch to alt interfaces prior to port
+         * configuration */
+-- 
+2.19.2

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index db984b6..36143b1 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc
@@ -17,3 +17,5 @@ patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
17	patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch	17	patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
18	patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch	18	patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
19	patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch	19	patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
		20	CVEs fixed in 4.14.91:
		21	patch CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch


diff --git a/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch new file mode 100644 index 0000000..9d81696 --- /dev/null +++ b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
@@ -0,0 +1,74 @@
		1	From 49be8dc589aee04c64d61e362c5029ab20fd6fd7 Mon Sep 17 00:00:00 2001
		2	From: Hui Peng <benquike@gmail.com>
		3	Date: Wed, 12 Dec 2018 12:42:24 +0100
		4	Subject: [PATCH] USB: hso: Fix OOB memory access in
		5	hso_probe/hso_get_config_data
		6
		7	commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
		8
		9	The function hso_probe reads if_num from the USB device (as an u8) and uses
		10	it without a length check to index an array, resulting in an OOB memory read
		11	in hso_probe or hso_get_config_data.
		12
		13	Add a length check for both locations and updated hso_probe to bail on
		14	error.
		15
		16	This issue has been assigned CVE-2018-19985.
		17
		18	CVE: CVE-2018-19985
		19	Upstream-Status: Backport
		20
		21	Reported-by: Hui Peng <benquike@gmail.com>
		22	Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
		23	Signed-off-by: Hui Peng <benquike@gmail.com>
		24	Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
		25	Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
		26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		27	Signed-off-by: David S. Miller <davem@davemloft.net>
		28	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		29	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		30	---
		31	drivers/net/usb/hso.c \| 18 ++++++++++++++++--
		32	1 file changed, 16 insertions(+), 2 deletions(-)
		33
		34	diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
		35	index d7a3379ea668..18a0952f68a8 100644
		36	--- a/drivers/net/usb/hso.c
		37	+++ b/drivers/net/usb/hso.c
		38	@@ -2806,6 +2806,12 @@ static int hso_get_config_data(struct usb_interface *interface)
		39	return -EIO;
		40	}
		41
		42	+ /* check if we have a valid interface */
		43	+ if (if_num > 16) {
		44	+ kfree(config_data);
		45	+ return -EINVAL;
		46	+ }
		47	+
		48	switch (config_data[if_num]) {
		49	case 0x0:
		50	result = 0;
		51	@@ -2876,10 +2882,18 @@ static int hso_probe(struct usb_interface *interface,
		52
		53	/* Get the interface/port specification from either driver_info or from
		54	* the device itself */
		55	- if (id->driver_info)
		56	+ if (id->driver_info) {
		57	+ /* if_num is controlled by the device, driver_info is a 0 terminated
		58	+ * array. Make sure, the access is in bounds! */
		59	+ for (i = 0; i <= if_num; ++i)
		60	+ if (((u32 *)(id->driver_info))[i] == 0)
		61	+ goto exit;
		62	port_spec = ((u32 *)(id->driver_info))[if_num];
		63	- else
		64	+ } else {
		65	port_spec = hso_get_config_data(interface);
		66	+ if (port_spec < 0)
		67	+ goto exit;
		68	+ }
		69
		70	/* Check if we need to switch to alt interfaces prior to port
		71	* configuration */
		72	--
		73	2.19.2
		74