From ab9c8d0c68d267c71d21a7d0996c9fa264844325 Mon Sep 17 00:00:00 2001
From: Adrian Stratulat <adrian.stratulat@enea.com>
Date: Wed, 30 Oct 2019 12:44:57 +0100
Subject: input: CVE-2017-16645

Input: ims-psu - check if CDC union descriptor is sane

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-16645
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea04efee7635c9120d015dcdeeeb6988130cb67a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=84513107dc8602c675ec871b616128b49c6e259e

Change-Id: Iab16548726e55b3621e5c8ae6be0ea487bb3064f
Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
---
 patches/cve/CVE-2017-16645.patch | 59 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 patches/cve/CVE-2017-16645.patch

diff --git a/patches/cve/CVE-2017-16645.patch b/patches/cve/CVE-2017-16645.patch
new file mode 100644
index 0000000..96992e7
--- /dev/null
+++ b/patches/cve/CVE-2017-16645.patch
@@ -0,0 +1,59 @@
+From 84513107dc8602c675ec871b616128b49c6e259e Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sat, 7 Oct 2017 11:07:47 -0700
+Subject: Input: ims-psu - check if CDC union descriptor is sane
+
+[ Upstream commit ea04efee7635c9120d015dcdeeeb6988130cb67a ]
+
+Before trying to use CDC union descriptor, try to validate whether that it
+is sane by checking that intf->altsetting->extra is big enough and that
+descriptor bLength is not too big and not too small.
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/input/misc/ims-pcu.c?h=linux-4.1.y&id=84513107dc8602c675ec871b616128b49c6e259e]
+CVE: CVE-2017-16645
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
+---
+ drivers/input/misc/ims-pcu.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+(limited to 'drivers/input/misc/ims-pcu.c')
+
+diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
+index f4e8fbec6a94..b5304e264881 100644
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf)
+ 		return NULL;
+ 	}
+ 
+-	while (buflen > 0) {
++	while (buflen >= sizeof(*union_desc)) {
+ 		union_desc = (struct usb_cdc_union_desc *)buf;
+ 
++		if (union_desc->bLength > buflen) {
++			dev_err(&intf->dev, "Too large descriptor\n");
++			return NULL;
++		}
++
+ 		if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&
+ 		    union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {
+ 			dev_dbg(&intf->dev, "Found union header\n");
+-			return union_desc;
++
++			if (union_desc->bLength >= sizeof(*union_desc))
++				return union_desc;
++
++			dev_err(&intf->dev,
++				"Union descriptor to short (%d vs %zd\n)",
++				union_desc->bLength, sizeof(*union_desc));
++			return NULL;
+ 		}
+ 
+ 		buflen -= union_desc->bLength;
+-- 
+cgit 1.2-0.3.lf.el7
+
-- 
cgit v1.2.3-54-g00ecf