From e5a7bd1d7d58dcfed990079e8f7377a4df875454 Mon Sep 17 00:00:00 2001 From: Adrian Stratulat Date: Wed, 30 Oct 2019 12:37:55 +0100 Subject: USB: core: CVE-2017-16535 USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() References: https://nvd.nist.gov/vuln/detail/CVE-2017-16535 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1c0edc3633b56000e18d82fc241e3995ca18a69e https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=9d13d3e05be29056eeab610d9ad26b04c9231a04 Change-Id: Ib86863293579750ddfb84bf62839d33bb5a75626 Signed-off-by: Adrian Stratulat --- patches/cve/CVE-2017-16535.patch | 50 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 patches/cve/CVE-2017-16535.patch diff --git a/patches/cve/CVE-2017-16535.patch b/patches/cve/CVE-2017-16535.patch new file mode 100644 index 0000000..19976cc --- /dev/null +++ b/patches/cve/CVE-2017-16535.patch @@ -0,0 +1,50 @@ +From 9d13d3e05be29056eeab610d9ad26b04c9231a04 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 18 Oct 2017 12:49:38 -0400 +Subject: USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() + +commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream. + +Andrey used the syzkaller fuzzer to find an out-of-bounds memory +access in usb_get_bos_descriptor(). The code wasn't checking that the +next usb_dev_cap_header structure could fit into the remaining buffer +space. + +This patch fixes the error and also reduces the bNumDeviceCaps field +in the header to match the actual number of capabilities found, in +cases where there are fewer than expected. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=9d13d3e05be29056eeab610d9ad26b04c9231a04] +CVE: CVE-2017-16535 + +Reported-by: Andrey Konovalov +Signed-off-by: Alan Stern +Tested-by: Andrey Konovalov +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Adrian Stratulat +--- + drivers/usb/core/config.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 11793386b4e9..5008f71fb08d 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -837,10 +837,12 @@ int usb_get_bos_descriptor(struct usb_device *dev) + for (i = 0; i < num; i++) { + buffer += length; + cap = (struct usb_dev_cap_header *)buffer; +- length = cap->bLength; + +- if (total_len < length) ++ if (total_len < sizeof(*cap) || total_len < cap->bLength) { ++ dev->bos->desc->bNumDeviceCaps = i; + break; ++ } ++ length = cap->bLength; + total_len -= length; + + if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { +-- +cgit 1.2-0.3.lf.el7 + -- cgit v1.2.3-54-g00ecf