From 3851aabaf12dcc3e2d913ad581d584259dbef32c Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Mon, 4 Feb 2019 14:27:31 +0100 Subject: USB: CVE-2018-19985 USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=49be8dc589aee04c64d61e362c5029ab20fd6fd7 Change-Id: I26c1c763c075d8719ac4bff276d8b1785ae46ad8 Signed-off-by: Andreas Wellving --- patches/cve/4.14.x.scc | 2 + ...-OOB-memory-access-in-hso_probe-hso_get_c.patch | 74 ++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index db984b6..36143b1 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc @@ -17,3 +17,5 @@ patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch +CVEs fixed in 4.14.91: +patch CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch diff --git a/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch new file mode 100644 index 0000000..9d81696 --- /dev/null +++ b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch @@ -0,0 +1,74 @@ +From 49be8dc589aee04c64d61e362c5029ab20fd6fd7 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 12 Dec 2018 12:42:24 +0100 +Subject: [PATCH] USB: hso: Fix OOB memory access in + hso_probe/hso_get_config_data + +commit 5146f95df782b0ac61abde36567e718692725c89 upstream. + +The function hso_probe reads if_num from the USB device (as an u8) and uses +it without a length check to index an array, resulting in an OOB memory read +in hso_probe or hso_get_config_data. + +Add a length check for both locations and updated hso_probe to bail on +error. + +This issue has been assigned CVE-2018-19985. + +CVE: CVE-2018-19985 +Upstream-Status: Backport + +Reported-by: Hui Peng +Reported-by: Mathias Payer +Signed-off-by: Hui Peng +Signed-off-by: Mathias Payer +Reviewed-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + drivers/net/usb/hso.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index d7a3379ea668..18a0952f68a8 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2806,6 +2806,12 @@ static int hso_get_config_data(struct usb_interface *interface) + return -EIO; + } + ++ /* check if we have a valid interface */ ++ if (if_num > 16) { ++ kfree(config_data); ++ return -EINVAL; ++ } ++ + switch (config_data[if_num]) { + case 0x0: + result = 0; +@@ -2876,10 +2882,18 @@ static int hso_probe(struct usb_interface *interface, + + /* Get the interface/port specification from either driver_info or from + * the device itself */ +- if (id->driver_info) ++ if (id->driver_info) { ++ /* if_num is controlled by the device, driver_info is a 0 terminated ++ * array. Make sure, the access is in bounds! */ ++ for (i = 0; i <= if_num; ++i) ++ if (((u32 *)(id->driver_info))[i] == 0) ++ goto exit; + port_spec = ((u32 *)(id->driver_info))[if_num]; +- else ++ } else { + port_spec = hso_get_config_data(interface); ++ if (port_spec < 0) ++ goto exit; ++ } + + /* Check if we need to switch to alt interfaces prior to port + * configuration */ +-- +2.19.2 + -- cgit v1.2.3-54-g00ecf