USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (CVE-2018-19985)

3 files changed, 72 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 5a36988369fb..6729c5e06727 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,10 @@ linux (4.19.12-2) UNRELEASED; urgency=medium
     files
   * [powerpcspe] Fix -mcpu= options for SPE-only compiler
 
+  [ Salvatore Bonaccorso ]
+  * USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
+    (CVE-2018-19985)
+
  -- Uwe Kleine-König <ukleinek@debian.org>  Sun, 23 Dec 2018 17:28:52 +0100
 
 linux (4.19.12-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch b/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch
new file mode 100644
index 000000000000..0baf8b9ee7f2
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch
@@ -0,0 +1,67 @@
+From 5146f95df782b0ac61abde36567e718692725c89 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Wed, 12 Dec 2018 12:42:24 +0100
+Subject: USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
+
+From: Hui Peng <benquike@gmail.com>
+
+commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
+
+The function hso_probe reads if_num from the USB device (as an u8) and uses
+it without a length check to index an array, resulting in an OOB memory read
+in hso_probe or hso_get_config_data.
+
+Add a length check for both locations and updated hso_probe to bail on
+error.
+
+This issue has been assigned CVE-2018-19985.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/hso.c |   18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct us
+ 		return -EIO;
+ 	}
+ 
++	/* check if we have a valid interface */
++	if (if_num > 16) {
++		kfree(config_data);
++		return -EINVAL;
++	}
++
+ 	switch (config_data[if_num]) {
+ 	case 0x0:
+ 		result = 0;
+@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interfac
+ 
+ 	/* Get the interface/port specification from either driver_info or from
+ 	 * the device itself */
+-	if (id->driver_info)
++	if (id->driver_info) {
++		/* if_num is controlled by the device, driver_info is a 0 terminated
++		 * array. Make sure, the access is in bounds! */
++		for (i = 0; i <= if_num; ++i)
++			if (((u32 *)(id->driver_info))[i] == 0)
++				goto exit;
+ 		port_spec = ((u32 *)(id->driver_info))[if_num];
+-	else
++	} else {
+ 		port_spec = hso_get_config_data(interface);
++		if (port_spec < 0)
++			goto exit;
++	}
+ 
+ 	/* Check if we need to switch to alt interfaces prior to port
+ 	 * configuration */
diff --git a/debian/patches/series b/debian/patches/series
index d81ed8e9e748..49b3409146aa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -139,6 +139,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch