From 141a35ca52ecfadd1ef997d94f5acae8c8081780 Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Mon, 4 Feb 2019 14:22:44 +0100
Subject: USB: CVE-2018-20169

USB: check usb_get_extra_descriptor for proper size

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20169
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7b6e85da8d94948201abb8d576d485892a6a878f

Change-Id: I4676564b2b6d596406e0d3730a43e331a108f7d7
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 patches/cve/4.14.x.scc                             |   1 +
 ...-usb_get_extra_descriptor-for-proper-size.patch | 107 +++++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index a33811b..db984b6 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -16,3 +16,4 @@ patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
 #CVEs fixed in 4.14.88:
 patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
 patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
+patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
diff --git a/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
new file mode 100644
index 0000000..1c1f9b9
--- /dev/null
+++ b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
@@ -0,0 +1,107 @@
+From 7b6e85da8d94948201abb8d576d485892a6a878f Mon Sep 17 00:00:00 2001
+From: Mathias Payer <mathias.payer@nebelwelt.net>
+Date: Wed, 5 Dec 2018 21:19:59 +0100
+Subject: [PATCH] USB: check usb_get_extra_descriptor for proper size
+
+commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
+
+When reading an extra descriptor, we need to properly check the minimum
+and maximum size allowed, to prevent from invalid data being sent by a
+device.
+
+CVE: CVE-2018-20169
+Upstream-Status: Backport
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/usb/core/hub.c    | 2 +-
+ drivers/usb/core/usb.c    | 6 +++---
+ drivers/usb/host/hwa-hc.c | 2 +-
+ include/linux/usb.h       | 4 ++--
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 638dc6f66d70..a073cb5be013 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2231,7 +2231,7 @@ static int usb_enumerate_device_otg(struct usb_device *udev)
+ 		/* descriptor may appear anywhere in config */
+ 		err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
+ 				le16_to_cpu(udev->config[0].desc.wTotalLength),
+-				USB_DT_OTG, (void **) &desc);
++				USB_DT_OTG, (void **) &desc, sizeof(*desc));
+ 		if (err || !(desc->bmAttributes & USB_OTG_HNP))
+ 			return 0;
+ 
+diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
+index f8b50eaf6d1e..7a4e3da549fe 100644
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -833,14 +833,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_number);
+  */
+ 
+ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+-			       unsigned char type, void **ptr)
++			       unsigned char type, void **ptr, size_t minsize)
+ {
+ 	struct usb_descriptor_header *header;
+ 
+ 	while (size >= sizeof(struct usb_descriptor_header)) {
+ 		header = (struct usb_descriptor_header *)buffer;
+ 
+-		if (header->bLength < 2) {
++		if (header->bLength < 2 || header->bLength > size) {
+ 			printk(KERN_ERR
+ 				"%s: bogus descriptor, type %d length %d\n",
+ 				usbcore_name,
+@@ -849,7 +849,7 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+ 			return -1;
+ 		}
+ 
+-		if (header->bDescriptorType == type) {
++		if (header->bDescriptorType == type && header->bLength >= minsize) {
+ 			*ptr = header;
+ 			return 0;
+ 		}
+diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
+index da3b18038d23..216069c396a0 100644
+--- a/drivers/usb/host/hwa-hc.c
++++ b/drivers/usb/host/hwa-hc.c
+@@ -654,7 +654,7 @@ static int hwahc_security_create(struct hwahc *hwahc)
+ 	top = itr + itr_size;
+ 	result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
+ 			le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
+-			USB_DT_SECURITY, (void **) &secd);
++			USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
+ 	if (result == -1) {
+ 		dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
+ 		return 0;
+diff --git a/include/linux/usb.h b/include/linux/usb.h
+index 4192a1755ccb..8c7ba40cf021 100644
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -407,11 +407,11 @@ struct usb_host_bos {
+ };
+ 
+ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+-	unsigned char type, void **ptr);
++	unsigned char type, void **ptr, size_t min);
+ #define usb_get_extra_descriptor(ifpoint, type, ptr) \
+ 				__usb_get_extra_descriptor((ifpoint)->extra, \
+ 				(ifpoint)->extralen, \
+-				type, (void **)ptr)
++				type, (void **)ptr, sizeof(**(ptr)))
+ 
+ /* ----------------------------------------------------------------------- */
+ 
+-- 
+2.19.2
+
-- 
cgit v1.2.3-54-g00ecf