diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2018-12-27 08:59:07 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2018-12-27 09:00:59 +0100 |
commit | 7fb96c41ce4dd7a81291608eda53cb6098bb40ff (patch) | |
tree | 8b74adb96f7d2d9a97b10d31c62b7db9ffa37eb9 | |
parent | 217f4b61cc4e68bfcb3ff61d86296c112d0e41ce (diff) | |
download | kernel_replicant_linux-7fb96c41ce4dd7a81291608eda53cb6098bb40ff.tar.gz kernel_replicant_linux-7fb96c41ce4dd7a81291608eda53cb6098bb40ff.tar.bz2 kernel_replicant_linux-7fb96c41ce4dd7a81291608eda53cb6098bb40ff.zip |
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (CVE-2018-19985)
-rw-r--r-- | debian/changelog | 4 | ||||
-rw-r--r-- | debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch | 67 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 72 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 5a36988369fb..6729c5e06727 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,10 @@ linux (4.19.12-2) UNRELEASED; urgency=medium files * [powerpcspe] Fix -mcpu= options for SPE-only compiler + [ Salvatore Bonaccorso ] + * USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data + (CVE-2018-19985) + -- Uwe Kleine-König <ukleinek@debian.org> Sun, 23 Dec 2018 17:28:52 +0100 linux (4.19.12-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch b/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch new file mode 100644 index 000000000000..0baf8b9ee7f2 --- /dev/null +++ b/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch @@ -0,0 +1,67 @@ +From 5146f95df782b0ac61abde36567e718692725c89 Mon Sep 17 00:00:00 2001 +From: Hui Peng <benquike@gmail.com> +Date: Wed, 12 Dec 2018 12:42:24 +0100 +Subject: USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data + +From: Hui Peng <benquike@gmail.com> + +commit 5146f95df782b0ac61abde36567e718692725c89 upstream. + +The function hso_probe reads if_num from the USB device (as an u8) and uses +it without a length check to index an array, resulting in an OOB memory read +in hso_probe or hso_get_config_data. + +Add a length check for both locations and updated hso_probe to bail on +error. + +This issue has been assigned CVE-2018-19985. + +Reported-by: Hui Peng <benquike@gmail.com> +Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> +Signed-off-by: Hui Peng <benquike@gmail.com> +Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> +Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/usb/hso.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct us + return -EIO; + } + ++ /* check if we have a valid interface */ ++ if (if_num > 16) { ++ kfree(config_data); ++ return -EINVAL; ++ } ++ + switch (config_data[if_num]) { + case 0x0: + result = 0; +@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interfac + + /* Get the interface/port specification from either driver_info or from + * the device itself */ +- if (id->driver_info) ++ if (id->driver_info) { ++ /* if_num is controlled by the device, driver_info is a 0 terminated ++ * array. Make sure, the access is in bounds! */ ++ for (i = 0; i <= if_num; ++i) ++ if (((u32 *)(id->driver_info))[i] == 0) ++ goto exit; + port_spec = ((u32 *)(id->driver_info))[if_num]; +- else ++ } else { + port_spec = hso_get_config_data(interface); ++ if (port_spec < 0) ++ goto exit; ++ } + + /* Check if we need to switch to alt interfaces prior to port + * configuration */ diff --git a/debian/patches/series b/debian/patches/series index d81ed8e9e748..49b3409146aa 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -139,6 +139,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |