diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 14:22:44 +0100 |
|---|---|---|
| committer | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 14:22:44 +0100 |
| commit | 141a35ca52ecfadd1ef997d94f5acae8c8081780 (patch) | |
| tree | 587674927efa8726a653a9ebb460f07cabdec6b4 | |
| parent | e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba (diff) | |
| download | enea-kernel-cache-141a35ca52ecfadd1ef997d94f5acae8c8081780.tar.gz | |
USB: CVE-2018-20169
USB: check usb_get_extra_descriptor for proper size
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20169
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7b6e85da8d94948201abb8d576d485892a6a878f
Change-Id: I4676564b2b6d596406e0d3730a43e331a108f7d7
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.14.x.scc | 1 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch | 107 |
2 files changed, 108 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index a33811b..db984b6 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
| @@ -16,3 +16,4 @@ patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch | |||
| 16 | #CVEs fixed in 4.14.88: | 16 | #CVEs fixed in 4.14.88: |
| 17 | patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch | 17 | patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch |
| 18 | patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch | 18 | patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch |
| 19 | patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch | ||
diff --git a/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch new file mode 100644 index 0000000..1c1f9b9 --- /dev/null +++ b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch | |||
| @@ -0,0 +1,107 @@ | |||
| 1 | From 7b6e85da8d94948201abb8d576d485892a6a878f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mathias Payer <mathias.payer@nebelwelt.net> | ||
| 3 | Date: Wed, 5 Dec 2018 21:19:59 +0100 | ||
| 4 | Subject: [PATCH] USB: check usb_get_extra_descriptor for proper size | ||
| 5 | |||
| 6 | commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream. | ||
| 7 | |||
| 8 | When reading an extra descriptor, we need to properly check the minimum | ||
| 9 | and maximum size allowed, to prevent from invalid data being sent by a | ||
| 10 | device. | ||
| 11 | |||
| 12 | CVE: CVE-2018-20169 | ||
| 13 | Upstream-Status: Backport | ||
| 14 | |||
| 15 | Reported-by: Hui Peng <benquike@gmail.com> | ||
| 16 | Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> | ||
| 17 | Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
| 18 | Signed-off-by: Hui Peng <benquike@gmail.com> | ||
| 19 | Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> | ||
| 20 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
| 21 | Cc: stable <stable@kernel.org> | ||
| 22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 23 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 24 | --- | ||
| 25 | drivers/usb/core/hub.c | 2 +- | ||
| 26 | drivers/usb/core/usb.c | 6 +++--- | ||
| 27 | drivers/usb/host/hwa-hc.c | 2 +- | ||
| 28 | include/linux/usb.h | 4 ++-- | ||
| 29 | 4 files changed, 7 insertions(+), 7 deletions(-) | ||
| 30 | |||
| 31 | diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c | ||
| 32 | index 638dc6f66d70..a073cb5be013 100644 | ||
| 33 | --- a/drivers/usb/core/hub.c | ||
| 34 | +++ b/drivers/usb/core/hub.c | ||
| 35 | @@ -2231,7 +2231,7 @@ static int usb_enumerate_device_otg(struct usb_device *udev) | ||
| 36 | /* descriptor may appear anywhere in config */ | ||
| 37 | err = __usb_get_extra_descriptor(udev->rawdescriptors[0], | ||
| 38 | le16_to_cpu(udev->config[0].desc.wTotalLength), | ||
| 39 | - USB_DT_OTG, (void **) &desc); | ||
| 40 | + USB_DT_OTG, (void **) &desc, sizeof(*desc)); | ||
| 41 | if (err || !(desc->bmAttributes & USB_OTG_HNP)) | ||
| 42 | return 0; | ||
| 43 | |||
| 44 | diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c | ||
| 45 | index f8b50eaf6d1e..7a4e3da549fe 100644 | ||
| 46 | --- a/drivers/usb/core/usb.c | ||
| 47 | +++ b/drivers/usb/core/usb.c | ||
| 48 | @@ -833,14 +833,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_number); | ||
| 49 | */ | ||
| 50 | |||
| 51 | int __usb_get_extra_descriptor(char *buffer, unsigned size, | ||
| 52 | - unsigned char type, void **ptr) | ||
| 53 | + unsigned char type, void **ptr, size_t minsize) | ||
| 54 | { | ||
| 55 | struct usb_descriptor_header *header; | ||
| 56 | |||
| 57 | while (size >= sizeof(struct usb_descriptor_header)) { | ||
| 58 | header = (struct usb_descriptor_header *)buffer; | ||
| 59 | |||
| 60 | - if (header->bLength < 2) { | ||
| 61 | + if (header->bLength < 2 || header->bLength > size) { | ||
| 62 | printk(KERN_ERR | ||
| 63 | "%s: bogus descriptor, type %d length %d\n", | ||
| 64 | usbcore_name, | ||
| 65 | @@ -849,7 +849,7 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size, | ||
| 66 | return -1; | ||
| 67 | } | ||
| 68 | |||
| 69 | - if (header->bDescriptorType == type) { | ||
| 70 | + if (header->bDescriptorType == type && header->bLength >= minsize) { | ||
| 71 | *ptr = header; | ||
| 72 | return 0; | ||
| 73 | } | ||
| 74 | diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c | ||
| 75 | index da3b18038d23..216069c396a0 100644 | ||
| 76 | --- a/drivers/usb/host/hwa-hc.c | ||
| 77 | +++ b/drivers/usb/host/hwa-hc.c | ||
| 78 | @@ -654,7 +654,7 @@ static int hwahc_security_create(struct hwahc *hwahc) | ||
| 79 | top = itr + itr_size; | ||
| 80 | result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index], | ||
| 81 | le16_to_cpu(usb_dev->actconfig->desc.wTotalLength), | ||
| 82 | - USB_DT_SECURITY, (void **) &secd); | ||
| 83 | + USB_DT_SECURITY, (void **) &secd, sizeof(*secd)); | ||
| 84 | if (result == -1) { | ||
| 85 | dev_warn(dev, "BUG? WUSB host has no security descriptors\n"); | ||
| 86 | return 0; | ||
| 87 | diff --git a/include/linux/usb.h b/include/linux/usb.h | ||
| 88 | index 4192a1755ccb..8c7ba40cf021 100644 | ||
| 89 | --- a/include/linux/usb.h | ||
| 90 | +++ b/include/linux/usb.h | ||
| 91 | @@ -407,11 +407,11 @@ struct usb_host_bos { | ||
| 92 | }; | ||
| 93 | |||
| 94 | int __usb_get_extra_descriptor(char *buffer, unsigned size, | ||
| 95 | - unsigned char type, void **ptr); | ||
| 96 | + unsigned char type, void **ptr, size_t min); | ||
| 97 | #define usb_get_extra_descriptor(ifpoint, type, ptr) \ | ||
| 98 | __usb_get_extra_descriptor((ifpoint)->extra, \ | ||
| 99 | (ifpoint)->extralen, \ | ||
| 100 | - type, (void **)ptr) | ||
| 101 | + type, (void **)ptr, sizeof(**(ptr))) | ||
| 102 | |||
| 103 | /* ----------------------------------------------------------------------- */ | ||
| 104 | |||
| 105 | -- | ||
| 106 | 2.19.2 | ||
| 107 | |||
