Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2019-08-20 13:02:06 +0200
committerOliver Neukum <oneukum@suse.com>2019-08-20 13:51:48 +0200
commitea8f73442c88c05fea0f158cafd4b0291cf914c9 (patch)
tree4dab63e9eb188c4cf1da589feb303245444ae288
parentf73861c56a3f722f666e5f9b98c1911e3d0037ed (diff)
USB: CDC: fix sanity checks in CDC union parser (bsc#1142635).
-rw-r--r--patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch45
-rw-r--r--series.conf1
2 files changed, 46 insertions, 0 deletions
diff --git a/patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch b/patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch
new file mode 100644
index 0000000000..b3327c93f4
--- /dev/null
+++ b/patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch
@@ -0,0 +1,45 @@
+From 54364278fb3cabdea51d6398b07c87415065b3fc Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 13 Aug 2019 11:35:41 +0200
+Subject: [PATCH] USB: CDC: fix sanity checks in CDC union parser
+Git-commit: 54364278fb3cabdea51d6398b07c87415065b3fc
+Patch-mainline: v5.3-rc5
+References: bsc#1142635
+
+A few checks checked for the size of the pointer to a structure
+instead of the structure itself. Copy & paste issue presumably.
+
+Fixes: e4c6fb7794982 ("usbnet: move the CDC parser into USB core")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+45a53506b65321c1fe91@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190813093541.18889-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/message.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
+index e844bb7b5676..5adf489428aa 100644
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -2218,14 +2218,14 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
+ (struct usb_cdc_dmm_desc *)buffer;
+ break;
+ case USB_CDC_MDLM_TYPE:
+- if (elength < sizeof(struct usb_cdc_mdlm_desc *))
++ if (elength < sizeof(struct usb_cdc_mdlm_desc))
+ goto next_desc;
+ if (desc)
+ return -EINVAL;
+ desc = (struct usb_cdc_mdlm_desc *)buffer;
+ break;
+ case USB_CDC_MDLM_DETAIL_TYPE:
+- if (elength < sizeof(struct usb_cdc_mdlm_detail_desc *))
++ if (elength < sizeof(struct usb_cdc_mdlm_detail_desc))
+ goto next_desc;
+ if (detail)
+ return -EINVAL;
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 6880f5caa7..6206e4c8ab 100644
--- a/series.conf
+++ b/series.conf
@@ -23408,6 +23408,7 @@
patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch
patches.fixes/nvme-multipath-revalidate-nvme_ns_head-gendisk-in-nv.patch
patches.fixes/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
+ patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch