FYI, this issue has been assigned CVE-2018-19985.
Thanks,
Mathias
On 12/9/18 5:32 PM, Greg KH wrote:
> From: Hui Peng <benquike@xxxxxxxxx>
>
> The function hso_probe reads if_num from the USB device (as an u8) and uses
> it without a length check to index an array, resulting in an OOB memory read
> in hso_probe or hso_get_config_data. Added a length check for both locations
> and updated hso_probe to bail on error.
>
> Reported-by: Hui Peng <benquike@xxxxxxxxx>
> Reported-by: Mathias Payer <mathias.payer@xxxxxxxxxxxxx>
> Signed-off-by: Hui Peng <benquike@xxxxxxxxx>
> Signed-off-by: Mathias Payer <mathias.payer@xxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/net/usb/hso.c | 18 ++++++++++++++++--
> 1 file changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
> index 184c24baca15..168f9081d4ea 100644
> --- a/drivers/net/usb/hso.c
> +++ b/drivers/net/usb/hso.c
> @@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
> return -EIO;
> }
>
> + /* check if we have a valid interface */
> + if (if_num > 16) {
> + kfree(config_data);
> + return -EINVAL;
> + }
> +
> switch (config_data[if_num]) {
> case 0x0:
> result = 0;
> @@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
>
> /* Get the interface/port specification from either driver_info or from
> * the device itself */
> - if (id->driver_info)
> + if (id->driver_info) {
> + /* if_num is controlled by the device, driver_info is a 0 terminated
> + * array. Make sure, the access is in bounds! */
> + for (i = 0; i <= if_num; ++i)
> + if (((u32 *)(id->driver_info))[i] == 0)
> + goto exit;
> port_spec = ((u32 *)(id->driver_info))[if_num];
> - else
> + } else {
> port_spec = hso_get_config_data(interface);
> + if (IS_ERR_VALUE((long)port_spec))
> + goto exit;
> + }
>
> /* Check if we need to switch to alt interfaces prior to port
> * configuration */
>
Attachment:
signature.asc
Description: OpenPGP digital signature
