Home Home > GIT Browse > SLE11-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Hocko <mhocko@suse.com>2019-01-31 10:23:25 +0100
committerMichal Hocko <mhocko@suse.com>2019-01-31 10:23:25 +0100
commit04b48a9c4a2afff91b70454a7abf2ddd28faea6d (patch)
tree34042c5df31011dcd559805047f798383744a376
parent3d4f87bbd77b7c7e12162a056926c892aba1c43e (diff)
parent00404ad535931c4827799988e56e59a4fb6cd85a (diff)
Merge remote-tracking branch 'origin/cve/linux-3.0' into users/mhocko/SLE11-SP4/for-nextSLE11-SP4
-rw-r--r--drivers/net/usb/hso.c18
-rw-r--r--drivers/usb/core/hub.c4
-rw-r--r--drivers/usb/core/usb.c32
-rw-r--r--include/linux/usb.h6
4 files changed, 53 insertions, 7 deletions
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 33e8dfbae7f7..204e793ce870 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2867,6 +2867,12 @@ static int hso_get_config_data(struct usb_interface *interface)
return -EIO;
}
+ /* check if we have a valid interface */
+ if (if_num > 16) {
+ kfree(config_data);
+ return -EINVAL;
+ }
+
switch (config_data[if_num]) {
case 0x0:
result = 0;
@@ -2931,10 +2937,18 @@ static int hso_probe(struct usb_interface *interface,
/* Get the interface/port specification from either driver_info or from
* the device itself */
- if (id->driver_info)
+ if (id->driver_info) {
+ /* if_num is controlled by the device, driver_info is a 0 terminated
+ * array. Make sure, the access is in bounds! */
+ for (i = 0; i <= if_num; ++i)
+ if (((u32 *)(id->driver_info))[i] == 0)
+ goto exit;
port_spec = ((u32 *)(id->driver_info))[if_num];
- else
+ } else {
port_spec = hso_get_config_data(interface);
+ if (port_spec < 0)
+ goto exit;
+ }
if (interface->cur_altsetting->desc.bInterfaceClass != 0xFF) {
dev_err(&interface->dev, "Not our interface\n");
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 2e3322711902..b5f1bbdc000e 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2053,9 +2053,9 @@ static int usb_enumerate_device_otg(struct usb_device *udev)
struct usb_bus *bus = udev->bus;
/* descriptor may appear anywhere in config */
- if (__usb_get_extra_descriptor (udev->rawdescriptors[0],
+ if (__usb_suse_get_extra_descriptor (udev->rawdescriptors[0],
le16_to_cpu(udev->config[0].desc.wTotalLength),
- USB_DT_OTG, (void **) &desc) == 0) {
+ USB_DT_OTG, (void **) &desc, sizeof(*desc)) == 0) {
if (desc->bmAttributes & USB_OTG_HNP) {
unsigned port1 = udev->portnum;
diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
index 5f95129a6439..5d729d17af01 100644
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -629,10 +629,11 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,
{
struct usb_descriptor_header *header;
+ WARN_ONCE(1, KERN_CRIT"An external module is leaving this system open to CVE-2018-20169\n ");
while (size >= sizeof(struct usb_descriptor_header)) {
header = (struct usb_descriptor_header *)buffer;
- if (header->bLength < 2) {
+ if (header->bLength < 2 || header->bLength > size) {
printk(KERN_ERR
"%s: bogus descriptor, type %d length %d\n",
usbcore_name,
@@ -1080,6 +1081,35 @@ static void __exit usb_exit(void)
usb_debugfs_cleanup();
}
+int __usb_suse_get_extra_descriptor(char *buffer, unsigned size,
+ unsigned char type, void **ptr, size_t minsize)
+{
+ struct usb_descriptor_header *header;
+
+ while (size >= sizeof(struct usb_descriptor_header)) {
+ header = (struct usb_descriptor_header *)buffer;
+
+ if (header->bLength < 2 || header->bLength > size) {
+ printk(KERN_ERR
+ "%s: bogus descriptor, type %d length %d\n",
+ usbcore_name,
+ header->bDescriptorType,
+ header->bLength);
+ return -1;
+ }
+
+ if (header->bDescriptorType == type && header->bLength >= minsize) {
+ *ptr = header;
+ return 0;
+ }
+
+ buffer += header->bLength;
+ size -= header->bLength;
+ }
+ return -1;
+}
+EXPORT_SYMBOL_GPL(__usb_suse_get_extra_descriptor);
+
subsys_initcall(usb_init);
module_exit(usb_exit);
MODULE_LICENSE("GPL");
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 243650bdb65e..d190c108b374 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -304,10 +304,12 @@ struct usb_host_bos {
int __usb_get_extra_descriptor(char *buffer, unsigned size,
unsigned char type, void **ptr);
+int __usb_suse_get_extra_descriptor(char *buffer, unsigned size,
+ unsigned char type, void **ptr, size_t min);
#define usb_get_extra_descriptor(ifpoint, type, ptr) \
- __usb_get_extra_descriptor((ifpoint)->extra, \
+ __usb_suse_get_extra_descriptor((ifpoint)->extra, \
(ifpoint)->extralen, \
- type, (void **)ptr)
+ type, (void **)ptr, sizeof(**(ptr)))
/* ----------------------------------------------------------------------- */