From 2a790eef3b2f6607ef5e8b1c041ba5f77717e41c Mon Sep 17 00:00:00 2001 From: Adrian Stratulat Date: Wed, 30 Oct 2019 12:30:26 +0100 Subject: USB: CVE-2017-16531 USB: fix out-of-bounds in usb_set_configuration References: https://nvd.nist.gov/vuln/detail/CVE-2017-16531 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=de5ffcc63dbdaffffd93934003fd527673f4da0a Change-Id: I04f538f1ee61459772eb21f85764ed76a82fb342 Signed-off-by: Adrian Stratulat --- patches/cve/CVE-2017-16531.patch | 77 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 patches/cve/CVE-2017-16531.patch diff --git a/patches/cve/CVE-2017-16531.patch b/patches/cve/CVE-2017-16531.patch new file mode 100644 index 0000000..bc8d2c5 --- /dev/null +++ b/patches/cve/CVE-2017-16531.patch @@ -0,0 +1,77 @@ +From de5ffcc63dbdaffffd93934003fd527673f4da0a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 19 Sep 2017 15:07:17 +0200 +Subject: USB: fix out-of-bounds in usb_set_configuration + +[ Upstream commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb ] + +Andrey Konovalov reported a possible out-of-bounds problem for a USB interface +association descriptor. He writes: + It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION + descriptor. It's only checked that the size is >= 2 in + usb_parse_configuration(), so find_iad() might do out-of-bounds access + to intf_assoc->bInterfaceCount. + +And he's right, we don't check for crazy descriptors of this type very well, so +resolve this problem. Yet another issue found by syzkaller... + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=de5ffcc63dbdaffffd93934003fd527673f4da0a] +CVE: CVE-2017-16531 + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Adrian Stratulat +--- + drivers/usb/core/config.c | 14 +++++++++++--- + include/uapi/linux/usb/ch9.h | 1 + + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index b48fac6e4b40..510e7158b502 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -528,15 +528,23 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, + + } else if (header->bDescriptorType == + USB_DT_INTERFACE_ASSOCIATION) { ++ struct usb_interface_assoc_descriptor *d; ++ ++ d = (struct usb_interface_assoc_descriptor *)header; ++ if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) { ++ dev_warn(ddev, ++ "config %d has an invalid interface association descriptor of length %d, skipping\n", ++ cfgno, d->bLength); ++ continue; ++ } ++ + if (iad_num == USB_MAXIADS) { + dev_warn(ddev, "found more Interface " + "Association Descriptors " + "than allocated for in " + "configuration %d\n", cfgno); + } else { +- config->intf_assoc[iad_num] = +- (struct usb_interface_assoc_descriptor +- *)header; ++ config->intf_assoc[iad_num] = d; + iad_num++; + } + +diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h +index aa33fd1b2d4f..400196c45b3c 100644 +--- a/include/uapi/linux/usb/ch9.h ++++ b/include/uapi/linux/usb/ch9.h +@@ -705,6 +705,7 @@ struct usb_interface_assoc_descriptor { + __u8 iFunction; + } __attribute__ ((packed)); + ++#define USB_DT_INTERFACE_ASSOCIATION_SIZE 8 + + /*-------------------------------------------------------------------------*/ + +-- +cgit 1.2-0.3.lf.el7 + -- cgit v1.2.3-54-g00ecf