USB: CVE-2018-20169

USB: check usb_get_extra_descriptor for proper size References: https://nvd.nist.gov/vuln/detail/CVE-2018-20169 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=fe26b8d06e965239795bee0a71c9073bed931716 Change-Id: I56a237c0e8c4ac8bd823f4b9f92f2bdb3d16a272 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 14:30:49 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 10:46:58 +0200
commit: e1a607a34c7f712935cb12d758f17e2cc6f6804c (patch)
tree: f769d46b73db3e0694a9f24c9f9c87fb3fcec4b7
parent: bfbf05844a901a063b37f1b32785df899ed415ab (diff)
download: enea-kernel-cache-e1a607a34c7f712935cb12d758f17e2cc6f6804c.tar.gz
2 files changed, 110 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 9665d3f..0e01c9a 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -60,3 +60,6 @@ patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
 #CVEs fixed in 4.9.144:
 patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
+#CVEs fixed in 4.9.145:
+patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
diff --git a/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
new file mode 100644
index 0000000..682d95b
--- /dev/null
+++ b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
@@ -0,0 +1,107 @@
+From fe26b8d06e965239795bee0a71c9073bed931716 Mon Sep 17 00:00:00 2001
+From: Mathias Payer <mathias.payer@nebelwelt.net>
+Date: Wed, 5 Dec 2018 21:19:59 +0100
+Subject: [PATCH] USB: check usb_get_extra_descriptor for proper size
+commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
+When reading an extra descriptor, we need to properly check the minimum
+and maximum size allowed, to prevent from invalid data being sent by a
+device.
+CVE: CVE-2018-20169
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=fe26b8d06e965239795bee0a71c9073bed931716]
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/usb/core/hub.c    | 2 +-
+ drivers/usb/core/usb.c    | 6 +++---
+ drivers/usb/host/hwa-hc.c | 2 +-
+ include/linux/usb.h       | 4 ++--
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 851f5a553de2..67679f619c3b 100644
+--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
+@@ -2225,7 +2225,7 @@ static int usb_enumerate_device_otg(struct usb_device *udev)
+                /* descriptor may appear anywhere in config */
+                err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
+                                le16_to_cpu(udev->config[0].desc.wTotalLength),
+-                               USB_DT_OTG, (void **) &desc);
+                               USB_DT_OTG, (void **) &desc, sizeof(*desc));
+                if (err || !(desc->bmAttributes & USB_OTG_HNP))
+                        return 0;
+ 
+diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
+index 891261b43c67..f3996ba71a59 100644
+--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
+@@ -696,14 +696,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_number);
+  */
+ 
+ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+-                              unsigned char type, void **ptr)
+                              unsigned char type, void **ptr, size_t minsize)
+ {
+        struct usb_descriptor_header *header;
+ 
+        while (size >= sizeof(struct usb_descriptor_header)) {
+                header = (struct usb_descriptor_header *)buffer;
+ 
+-               if (header->bLength < 2) {
+               if (header->bLength < 2 || header->bLength > size) {
+                        printk(KERN_ERR
+                                "%s: bogus descriptor, type %d length %d\n",
+                                usbcore_name,
+@@ -712,7 +712,7 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+                        return -1;
+                }
+ 
+-               if (header->bDescriptorType == type) {
+               if (header->bDescriptorType == type && header->bLength >= minsize) {
+                        *ptr = header;
+                        return 0;
+                }
+diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
+index 1db0626c8bf4..97750f162f01 100644
+--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c
+@@ -654,7 +654,7 @@ static int hwahc_security_create(struct hwahc *hwahc)
+        top = itr + itr_size;
+        result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
+                        le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
+-                       USB_DT_SECURITY, (void **) &secd);
+                       USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
+        if (result == -1) {
+                dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
+                return 0;
+diff --git a/include/linux/usb.h b/include/linux/usb.h
+index eba1f10e8cfd..346665a0c49d 100644
+--- a/include/linux/usb.h
+++ b/include/linux/usb.h
+@@ -336,11 +336,11 @@ struct usb_host_bos {
+ };
+ 
+ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+-       unsigned char type, void **ptr);
+       unsigned char type, void **ptr, size_t min);
+ #define usb_get_extra_descriptor(ifpoint, type, ptr) \
+                                __usb_get_extra_descriptor((ifpoint)->extra, \
+                                (ifpoint)->extralen, \
+-                               type, (void **)ptr)
+                               type, (void **)ptr, sizeof(**(ptr)))
+ 
+ /* ----------------------------------------------------------------------- */
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 14:30:49 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 10:46:58 +0200
commit	e1a607a34c7f712935cb12d758f17e2cc6f6804c (patch)
tree	f769d46b73db3e0694a9f24c9f9c87fb3fcec4b7
parent	bfbf05844a901a063b37f1b32785df899ed415ab (diff)
download	enea-kernel-cache-e1a607a34c7f712935cb12d758f17e2cc6f6804c.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 9665d3f..0e01c9a 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -60,3 +60,6 @@ patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
60		60
61	#CVEs fixed in 4.9.144:	61	#CVEs fixed in 4.9.144:
62	patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch	62	patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
		63
		64	#CVEs fixed in 4.9.145:
		65	patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch


diff --git a/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch new file mode 100644 index 0000000..682d95b --- /dev/null +++ b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
@@ -0,0 +1,107 @@
		1	From fe26b8d06e965239795bee0a71c9073bed931716 Mon Sep 17 00:00:00 2001
		2	From: Mathias Payer <mathias.payer@nebelwelt.net>
		3	Date: Wed, 5 Dec 2018 21:19:59 +0100
		4	Subject: [PATCH] USB: check usb_get_extra_descriptor for proper size
		5
		6	commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
		7
		8	When reading an extra descriptor, we need to properly check the minimum
		9	and maximum size allowed, to prevent from invalid data being sent by a
		10	device.
		11
		12	CVE: CVE-2018-20169
		13	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=fe26b8d06e965239795bee0a71c9073bed931716]
		14
		15	Reported-by: Hui Peng <benquike@gmail.com>
		16	Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
		17	Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
		18	Signed-off-by: Hui Peng <benquike@gmail.com>
		19	Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
		20	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		21	Cc: stable <stable@kernel.org>
		22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		23	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		24	---
		25	drivers/usb/core/hub.c \| 2 +-
		26	drivers/usb/core/usb.c \| 6 +++---
		27	drivers/usb/host/hwa-hc.c \| 2 +-
		28	include/linux/usb.h \| 4 ++--
		29	4 files changed, 7 insertions(+), 7 deletions(-)
		30
		31	diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
		32	index 851f5a553de2..67679f619c3b 100644
		33	--- a/drivers/usb/core/hub.c
		34	+++ b/drivers/usb/core/hub.c
		35	@@ -2225,7 +2225,7 @@ static int usb_enumerate_device_otg(struct usb_device *udev)
		36	/* descriptor may appear anywhere in config */
		37	err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
		38	le16_to_cpu(udev->config[0].desc.wTotalLength),
		39	- USB_DT_OTG, (void **) &desc);
		40	+ USB_DT_OTG, (void *) &desc, sizeof(desc));
		41	if (err \|\| !(desc->bmAttributes & USB_OTG_HNP))
		42	return 0;
		43
		44	diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
		45	index 891261b43c67..f3996ba71a59 100644
		46	--- a/drivers/usb/core/usb.c
		47	+++ b/drivers/usb/core/usb.c
		48	@@ -696,14 +696,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_number);
		49	*/
		50
		51	int __usb_get_extra_descriptor(char *buffer, unsigned size,
		52	- unsigned char type, void **ptr)
		53	+ unsigned char type, void **ptr, size_t minsize)
		54	{
		55	struct usb_descriptor_header *header;
		56
		57	while (size >= sizeof(struct usb_descriptor_header)) {
		58	header = (struct usb_descriptor_header *)buffer;
		59
		60	- if (header->bLength < 2) {
		61	+ if (header->bLength < 2 \|\| header->bLength > size) {
		62	printk(KERN_ERR
		63	"%s: bogus descriptor, type %d length %d\n",
		64	usbcore_name,
		65	@@ -712,7 +712,7 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,
		66	return -1;
		67	}
		68
		69	- if (header->bDescriptorType == type) {
		70	+ if (header->bDescriptorType == type && header->bLength >= minsize) {
		71	*ptr = header;
		72	return 0;
		73	}
		74	diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
		75	index 1db0626c8bf4..97750f162f01 100644
		76	--- a/drivers/usb/host/hwa-hc.c
		77	+++ b/drivers/usb/host/hwa-hc.c
		78	@@ -654,7 +654,7 @@ static int hwahc_security_create(struct hwahc *hwahc)
		79	top = itr + itr_size;
		80	result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
		81	le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
		82	- USB_DT_SECURITY, (void **) &secd);
		83	+ USB_DT_SECURITY, (void *) &secd, sizeof(secd));
		84	if (result == -1) {
		85	dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
		86	return 0;
		87	diff --git a/include/linux/usb.h b/include/linux/usb.h
		88	index eba1f10e8cfd..346665a0c49d 100644
		89	--- a/include/linux/usb.h
		90	+++ b/include/linux/usb.h
		91	@@ -336,11 +336,11 @@ struct usb_host_bos {
		92	};
		93
		94	int __usb_get_extra_descriptor(char *buffer, unsigned size,
		95	- unsigned char type, void **ptr);
		96	+ unsigned char type, void **ptr, size_t min);
		97	#define usb_get_extra_descriptor(ifpoint, type, ptr) \
		98	__usb_get_extra_descriptor((ifpoint)->extra, \
		99	(ifpoint)->extralen, \
		100	- type, (void **)ptr)
		101	+ type, (void )ptr, sizeof((ptr)))
		102
		103	/* ----------------------------------------------------------------------- */
		104
		105	--
		106	2.20.1
		107