Patch "USB: fix out-of-bounds in usb_set_configuration" has been added to the 4.13-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    USB: fix out-of-bounds in usb_set_configuration

to the 4.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-fix-out-of-bounds-in-usb_set_configuration.patch
and it can be found in the queue-4.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Sep 2017 15:07:17 +0200
Subject: USB: fix out-of-bounds in usb_set_configuration

From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream.

Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor.  He writes:
	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	descriptor. It's only checked that the size is >= 2 in
	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	to intf_assoc->bInterfaceCount.

And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem.  Yet another issue found by syzkaller...

Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/usb/core/config.c    |   14 +++++++++++---
 include/uapi/linux/usb/ch9.h |    1 +
 2 files changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -643,15 +643,23 @@ static int usb_parse_configuration(struc
 
 		} else if (header->bDescriptorType ==
 				USB_DT_INTERFACE_ASSOCIATION) {
+			struct usb_interface_assoc_descriptor *d;
+
+			d = (struct usb_interface_assoc_descriptor *)header;
+			if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
+				dev_warn(ddev,
+					 "config %d has an invalid interface association descriptor of length %d, skipping\n",
+					 cfgno, d->bLength);
+				continue;
+			}
+
 			if (iad_num == USB_MAXIADS) {
 				dev_warn(ddev, "found more Interface "
 					       "Association Descriptors "
 					       "than allocated for in "
 					       "configuration %d\n", cfgno);
 			} else {
-				config->intf_assoc[iad_num] =
-					(struct usb_interface_assoc_descriptor
-					*)header;
+				config->intf_assoc[iad_num] = d;
 				iad_num++;
 			}
 
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -780,6 +780,7 @@ struct usb_interface_assoc_descriptor {
 	__u8  iFunction;
 } __attribute__ ((packed));
 
+#define USB_DT_INTERFACE_ASSOCIATION_SIZE	8
 
 /*-------------------------------------------------------------------------*/
 


Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are

queue-4.13/usb-xhci-free-the-right-ring-in-xhci_add_endpoint.patch
queue-4.13/tcp-update-skb-skb_mstamp-more-carefully.patch
queue-4.13/usb-fix-out-of-bounds-in-usb_set_configuration.patch
queue-4.13/packet-in-packet_do_bind-test-fanout-with-bind_lock-held.patch
queue-4.13/usb-storage-fix-bogus-hardware-error-messages-for-ata-pass-thru-devices.patch
queue-4.13/socket-bpf-fix-possible-use-after-free.patch
queue-4.13/netlink-do-not-proceed-if-dump-s-start-errs.patch
queue-4.13/isdn-i4l-fetch-the-ppp_write-buffer-in-one-shot.patch
queue-4.13/usb-cdc-wdm-ignore-epipe-from-getencapsulatedresponse.patch
queue-4.13/ip6_tunnel-do-not-allow-loading-ip6_tunnel-if-ipv6-is-disabled-in-cmdline.patch
queue-4.13/l2tp-fix-race-condition-in-l2tp_tunnel_delete.patch
queue-4.13/xhci-fix-finding-correct-bus_state-structure-for-usb-3.1-hosts.patch
queue-4.13/revert-xhci-limit-usb2-port-wake-support-for-amd-promontory-hosts.patch
queue-4.13/vti-fix-use-after-free-in-vti_tunnel_xmit-vti6_tnl_xmit.patch
queue-4.13/l2tp-fix-l2tp_eth-module-loading.patch
queue-4.13/bpf-do-not-disable-enable-bh-in-bpf_map_free_id.patch
queue-4.13/net-bonding-fix-transmit-load-balancing-in-balance-alb-mode-if-specified-by-sysfs.patch
queue-4.13/usb-uas-fix-bug-in-handling-of-alternate-settings.patch
queue-4.13/ipv4-early-demux-can-return-an-error-code.patch
queue-4.13/alsa-usb-audio-check-out-of-bounds-access-by-corrupted-buffer-descriptor.patch
queue-4.13/net-emac-fix-napi-poll-list-corruption.patch
queue-4.13/net-mlx5e-ipoib-fix-access-to-invalid-memory-address.patch
queue-4.13/net-qcom-emac-specify-the-correct-size-when-mapping-a-dma-buffer.patch
queue-4.13/usb-increase-quirk-delay-for-usb-devices.patch
queue-4.13/usb-gadget-udc-renesas_usb3-fix-return-value-of-usb3_write_pipe.patch
queue-4.13/packet-only-test-po-has_vnet_hdr-once-in-packet_snd.patch
queue-4.13/usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch
queue-4.13/xhci-set-missing-superspeedplus-link-protocol-bit-in-roothub-descriptor.patch
queue-4.13/usb-gadget-udc-renesas_usb3-fix-pn_rammap.pn_mpkt-value.patch
queue-4.13/ip6_gre-ip6gre_tap-device-should-keep-dst.patch
queue-4.13/iio-adc-twl4030-fix-an-error-handling-path-in-twl4030_madc_probe.patch
queue-4.13/usb-dwc3-ep0-fix-dma-starvation-by-assigning-req-trb-on-ep0.patch
queue-4.13/usb-gadget-core-fix-udc_set_speed-logic.patch
queue-4.13/udpv6-fix-the-checksum-computation-when-hw-checksum-does-not-apply.patch
queue-4.13/bpf-one-perf-event-close-won-t-free-bpf-program-attached-by-another-perf-event.patch
queue-4.13/sctp-potential-read-out-of-bounds-in-sctp_ulpevent_type_enabled.patch
queue-4.13/usb-dummy-hcd-fix-infinite-loop-resubmission-bug.patch
queue-4.13/usb-host-xhci-plat-allow-sysdev-to-inherit-from-acpi.patch
queue-4.13/net-change-skb-mac_header-when-generic-xdp-calls-adjust_head.patch
queue-4.13/imx-media-of-avoid-uninitialized-variable-warning.patch
queue-4.13/openvswitch-fix-an-error-handling-path-in-ovs_nla_init_match_and_action.patch
queue-4.13/net-phy-fix-mask-value-write-on-gmii2rgmii-converter-speed-register.patch
queue-4.13/usb-pci-quirks.c-corrected-timeout-values-used-in-handshake.patch
queue-4.13/bpf-verifier-reject-bpf_alu64-bpf_end.patch
queue-4.13/usb-storage-unusual_devs-entry-to-fix-write-access-regression-for-seagate-external-drives.patch
queue-4.13/net-sched-fix-use-after-free-in-tcf_action_destroy-and-tcf_del_walker.patch
queue-4.13/usb-core-harden-cdc_parse_cdc_header.patch
queue-4.13/net-rtnetlink-fix-info-leak-in-rtm_getstats-call.patch
queue-4.13/net-dsa-mv88e6xxx-allow-dsa-and-cpu-ports-in-multiple-vlans.patch
queue-4.13/8139too-revisit-napi_complete_done-usage.patch
queue-4.13/xhci-fix-wrong-endpoint-esit-value-shown-in-tracing.patch
queue-4.13/usb-renesas_usbhs-fix-usbhsf_fifo_clear-for-rx-direction.patch
queue-4.13/ip6_gre-skb_push-ipv6hdr-before-packing-the-header-in-ip6gre_header.patch
queue-4.13/net_sched-gen_estimator-fix-scaling-error-in-bytes-packets-samples.patch
queue-4.13/tipc-use-only-positive-error-codes-in-messages.patch
queue-4.13/ip6_tunnel-update-mtu-properly-for-arphrd_ether-tunnel-device-in-tx-path.patch
queue-4.13/usb-gadget-udc-atmel-set-vbus-irqflags-explicitly.patch
queue-4.13/iio-adc-twl4030-disable-the-vusb3v1-rugulator-in-the-error-handling-path-of-twl4030_madc_probe.patch
queue-4.13/mlxsw-spectrum-fix-eeprom-access-in-case-of-sfp-sfp.patch
queue-4.13/tun-bail-out-from-tun_get_user-if-the-skb-is-empty.patch
queue-4.13/tcp-fastopen-fix-on-syn-data-transmit-failure.patch
queue-4.13/usb-gadget-udc-renesas_usb3-fix-for-no-data-control-transfer.patch
queue-4.13/net_sched-always-reset-qdisc-backlog-in-qdisc_reset.patch
queue-4.13/net-ipv6-fix-regression-of-no-rtm_deladdr-sent-after-dad-failure.patch
queue-4.13/bpf-fix-bpf_tail_call-x64-jit.patch
queue-4.13/usb-renesas_usbhs-fix-the-bclr-setting-condition-for-non-dcp-pipe.patch
queue-4.13/net-set-sk_prot_creator-when-cloning-sockets-to-the-right-proto.patch
queue-4.13/usb-gadgetfs-fix-copy_to_user-while-holding-spinlock.patch
queue-4.13/usb-devio-don-t-corrupt-user-memory.patch
queue-4.13/tcp-fix-data-delivery-rate.patch
queue-4.13/net-dsa-fix-network-device-registration-order.patch
queue-4.13/usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch
queue-4.13/net-bonding-fix-tlb_dynamic_lb-default-value.patch
queue-4.13/net-stmmac-cocci-spatch-of_table.patch
queue-4.13/usb-gadgetfs-fix-crash-caused-by-inadequate-synchronization.patch
queue-4.13/usb-dummy-hcd-fix-connection-failures-wrong-speed.patch
queue-4.13/net-dsa-mv88e6xxx-lock-mutex-when-freeing-irqs.patch
queue-4.13/mlxsw-spectrum-prevent-mirred-related-crash-on-removal.patch
queue-4.13/usb-dummy-hcd-fix-erroneous-synchronization-change.patch
queue-4.13/packet-hold-bind-lock-when-rebinding-to-fanout-hook.patch
queue-4.13/net-sched-cls_matchall-fix-crash-when-used-with-classful-qdisc.patch
queue-4.13/xhci-fix-sleeping-with-spin_lock_irq-held-in-asmedia-1042a-workaround.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]