This is a note to let you know that I've just added the patch titled
USB: core: harden cdc_parse_cdc_header
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-core-harden-cdc_parse_cdc_header.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 2e1c42391ff2556387b3cb6308b24f6f65619feb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Sep 2017 16:58:48 +0200
Subject: USB: core: harden cdc_parse_cdc_header
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
commit 2e1c42391ff2556387b3cb6308b24f6f65619feb upstream.
Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function. He writes:
It looks like cdc_parse_cdc_header() doesn't validate buflen
before accessing buffer[1], buffer[2] and so on. The only check
present is while (buflen > 0).
So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.
Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/usb/usbnet.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1990,6 +1990,10 @@ int cdc_parse_cdc_header(struct usb_cdc_
elength = 1;
goto next_desc;
}
+ if ((buflen < elength) || (elength < 3)) {
+ dev_err(&intf->dev, "invalid descriptor buffer length\n");
+ break;
+ }
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(&intf->dev, "skipping garbage\n");
goto next_desc;
Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are
queue-4.4/usb-fix-out-of-bounds-in-usb_set_configuration.patch
queue-4.4/xhci-fix-finding-correct-bus_state-structure-for-usb-3.1-hosts.patch
queue-4.4/usb-uas-fix-bug-in-handling-of-alternate-settings.patch
queue-4.4/alsa-usb-audio-check-out-of-bounds-access-by-corrupted-buffer-descriptor.patch
queue-4.4/usb-increase-quirk-delay-for-usb-devices.patch
queue-4.4/iio-adc-twl4030-fix-an-error-handling-path-in-twl4030_madc_probe.patch
queue-4.4/usb-dummy-hcd-fix-infinite-loop-resubmission-bug.patch
queue-4.4/usb-pci-quirks.c-corrected-timeout-values-used-in-handshake.patch
queue-4.4/usb-storage-unusual_devs-entry-to-fix-write-access-regression-for-seagate-external-drives.patch
queue-4.4/usb-core-harden-cdc_parse_cdc_header.patch
queue-4.4/usb-renesas_usbhs-fix-usbhsf_fifo_clear-for-rx-direction.patch
queue-4.4/usb-gadget-udc-atmel-set-vbus-irqflags-explicitly.patch
queue-4.4/iio-adc-twl4030-disable-the-vusb3v1-rugulator-in-the-error-handling-path-of-twl4030_madc_probe.patch
queue-4.4/usb-renesas_usbhs-fix-the-bclr-setting-condition-for-non-dcp-pipe.patch
queue-4.4/usb-gadgetfs-fix-copy_to_user-while-holding-spinlock.patch
queue-4.4/usb-devio-don-t-corrupt-user-memory.patch
queue-4.4/usb-gadget-inode.c-fix-unbalanced-spin_lock-in-ep0_write.patch
queue-4.4/usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch
queue-4.4/usb-gadgetfs-fix-crash-caused-by-inadequate-synchronization.patch
queue-4.4/usb-dummy-hcd-fix-connection-failures-wrong-speed.patch
queue-4.4/usb-dummy-hcd-fix-erroneous-synchronization-change.patch