1 files changed, 54 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-17558-USB-core-prevent-malicious-bNumInterfaces-overflow.patch b/patches/cve/CVE-2017-17558-USB-core-prevent-malicious-bNumInterfaces-overflow.patch
new file mode 100644
index 0000000..8ed651d
--- /dev/null
+++ b/patches/cve/CVE-2017-17558-USB-core-prevent-malicious-bNumInterfaces-overflow.patch
@@ -0,0 +1,54 @@
+From 4c5ae6a301a5415d1334f6c655bebf91d475bd89 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 12 Dec 2017 14:25:13 -0500
+Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow
+commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.
+A malicious USB device with crafted descriptors can cause the kernel
+to access unallocated memory by setting the bNumInterfaces value too
+high in a configuration descriptor.  Although the value is adjusted
+during parsing, this adjustment is skipped in one of the error return
+paths.
+This patch prevents the problem by setting bNumInterfaces to 0
+initially.  The existing code already sets it to the proper value
+after parsing is complete.
+CVE: CVE-2017-17558
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=4c5ae6a301a5415d1334f6c655bebf91d475bd89]
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/usb/core/config.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index c42a3e63eb07..843ef46d2537 100644
+--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
+@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+        unsigned iad_num = 0;
+ 
+        memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
+       nintf = nintf_orig = config->desc.bNumInterfaces;
+       config->desc.bNumInterfaces = 0;        // Adjusted later
+
+        if (config->desc.bDescriptorType != USB_DT_CONFIG ||
+            config->desc.bLength < USB_DT_CONFIG_SIZE ||
+            config->desc.bLength > size) {
+@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+        buffer += config->desc.bLength;
+        size -= config->desc.bLength;
+ 
+-       nintf = nintf_orig = config->desc.bNumInterfaces;
+        if (nintf > USB_MAXINTERFACES) {
+                dev_warn(ddev, "config %d has too many interfaces: %d, "
+                    "using maximum allowed: %d\n",
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2017-17558-USB-core-prevent-malicious-bNumInterfaces-overflow.patch b/patches/cve/CVE-2017-17558-USB-core-prevent-malicious-bNumInterfaces-overflow.patch new file mode 100644 index 0000000..8ed651d --- /dev/null +++ b/patches/cve/CVE-2017-17558-USB-core-prevent-malicious-bNumInterfaces-overflow.patch
@@ -0,0 +1,54 @@
	1	From 4c5ae6a301a5415d1334f6c655bebf91d475bd89 Mon Sep 17 00:00:00 2001
	2	From: Alan Stern <stern@rowland.harvard.edu>
	3	Date: Tue, 12 Dec 2017 14:25:13 -0500
	4	Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow
	5
	6	commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.
	7
	8	A malicious USB device with crafted descriptors can cause the kernel
	9	to access unallocated memory by setting the bNumInterfaces value too
	10	high in a configuration descriptor. Although the value is adjusted
	11	during parsing, this adjustment is skipped in one of the error return
	12	paths.
	13
	14	This patch prevents the problem by setting bNumInterfaces to 0
	15	initially. The existing code already sets it to the proper value
	16	after parsing is complete.
	17
	18	CVE: CVE-2017-17558
	19	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=4c5ae6a301a5415d1334f6c655bebf91d475bd89]
	20
	21
	22	Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
	23	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	25	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	26	---
	27	drivers/usb/core/config.c \| 4 +++-
	28	1 file changed, 3 insertions(+), 1 deletion(-)
	29
	30	diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
	31	index c42a3e63eb07..843ef46d2537 100644
	32	--- a/drivers/usb/core/config.c
	33	+++ b/drivers/usb/core/config.c
	34	@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
	35	unsigned iad_num = 0;
	36
	37	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
	38	+ nintf = nintf_orig = config->desc.bNumInterfaces;
	39	+ config->desc.bNumInterfaces = 0; // Adjusted later
	40	+
	41	if (config->desc.bDescriptorType != USB_DT_CONFIG \|\|
	42	config->desc.bLength < USB_DT_CONFIG_SIZE \|\|
	43	config->desc.bLength > size) {
	44	@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
	45	buffer += config->desc.bLength;
	46	size -= config->desc.bLength;
	47
	48	- nintf = nintf_orig = config->desc.bNumInterfaces;
	49	if (nintf > USB_MAXINTERFACES) {
	50	dev_warn(ddev, "config %d has too many interfaces: %d, "
	51	"using maximum allowed: %d\n",
	52	--
	53	2.20.1
	54