Fix CVE-2017-17558 (rhbz 1525474 1525476)
This commit is contained in:
Jeremy Cline
parent
33a5b3ed6e
commit
5f85324ce1
|
|
@ -0,0 +1,48 @@
|
|||
From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Stern <stern@rowland.harvard.edu>
|
||||
Date: Tue, 12 Dec 2017 14:25:13 -0500
|
||||
Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow
|
||||
|
||||
A malicious USB device with crafted descriptors can cause the kernel
|
||||
to access unallocated memory by setting the bNumInterfaces value too
|
||||
high in a configuration descriptor. Although the value is adjusted
|
||||
during parsing, this adjustment is skipped in one of the error return
|
||||
paths.
|
||||
|
||||
This patch prevents the problem by setting bNumInterfaces to 0
|
||||
initially. The existing code already sets it to the proper value
|
||||
after parsing is complete.
|
||||
|
||||
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
CC: <stable@vger.kernel.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/usb/core/config.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
|
||||
index 55b198ba629b..78e92d29f8d9 100644
|
||||
--- a/drivers/usb/core/config.c
|
||||
+++ b/drivers/usb/core/config.c
|
||||
@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
|
||||
unsigned iad_num = 0;
|
||||
|
||||
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
|
||||
+ nintf = nintf_orig = config->desc.bNumInterfaces;
|
||||
+ config->desc.bNumInterfaces = 0; // Adjusted later
|
||||
+
|
||||
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
|
||||
config->desc.bLength < USB_DT_CONFIG_SIZE ||
|
||||
config->desc.bLength > size) {
|
||||
@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
|
||||
buffer += config->desc.bLength;
|
||||
size -= config->desc.bLength;
|
||||
|
||||
- nintf = nintf_orig = config->desc.bNumInterfaces;
|
||||
if (nintf > USB_MAXINTERFACES) {
|
||||
dev_warn(ddev, "config %d has too many interfaces: %d, "
|
||||
"using maximum allowed: %d\n",
|
||||
--
|
||||
2.14.3
|
||||
|
||||
|
|
@ -629,6 +629,9 @@ Patch399: arm64-thunderX-fix-ipv6-checksum-offload.patch
|
|||
# rbhz 1519591 1520764
|
||||
Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
|
||||
# rhbz 1525474 1525476
|
||||
Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch
|
||||
|
||||
# 600 - Patches for improved Bay and Cherry Trail device support
|
||||
# Below patches are submitted upstream, awaiting review / merging
|
||||
Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch
|
||||
|
|
@ -2207,6 +2210,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Dec 13 2017 Jeremy Cline <jeremy@jcline.org>
|
||||
- Fix CVE-2017-17558 (rhbz 1525474 1525476)
|
||||
|
||||
* Tue Dec 12 2017 Jeremy Cline <jeremy@jcline.org>
|
||||
- Fix CVE-2017-8824 (rhbz 1519591 1520764)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue