diff options
Diffstat (limited to 'debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch')
-rw-r--r-- | debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch b/debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch deleted file mode 100644 index 2a2c4bdb4303..000000000000 --- a/debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Ignat Korchagin <ignat.korchagin@gmail.com> -Date: Thu, 17 Mar 2016 18:00:29 +0000 -Subject: USB: usbip: fix potential out-of-bounds write -Origin: https://git.kernel.org/linus/b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb - -Fix potential out-of-bounds write to urb->transfer_buffer -usbip handles network communication directly in the kernel. When receiving a -packet from its peer, usbip code parses headers according to protocol. As -part of this parsing urb->actual_length is filled. Since the input for -urb->actual_length comes from the network, it should be treated as untrusted. -Any entity controlling the network may put any value in the input and the -preallocated urb->transfer_buffer may not be large enough to hold the data. -Thus, the malicious entity is able to write arbitrary data to kernel memory. - -Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/usb/usbip/usbip_common.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c -index facaaf0..e40da77 100644 ---- a/drivers/usb/usbip/usbip_common.c -+++ b/drivers/usb/usbip/usbip_common.c -@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) - if (!(size > 0)) - return 0; - -+ if (size > urb->transfer_buffer_length) { -+ /* should not happen, probably malicious packet */ -+ if (ud->side == USBIP_STUB) { -+ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); -+ return 0; -+ } else { -+ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); -+ return -EPIPE; -+ } -+ } -+ - ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); - if (ret != size) { - dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); --- -2.1.4 - |