[PATCH 3.14 21/37] USB: usbip: fix potential out-of-bounds write

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Ignat Korchagin <ignat.korchagin@gmail.com>,
	Sasha Levin <sasha.levin@oracle.com>,
	Paul Gortmaker <paul.gortmaker@windriver.com>
Subject: [PATCH 3.14 21/37] USB: usbip: fix potential out-of-bounds write
Date: Mon,  2 May 2016 17:12:10 -0700	[thread overview]
Message-ID: <20160503000424.240125904@linuxfoundation.org> (raw)
In-Reply-To: <20160503000423.577563140@linuxfoundation.org>

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ignat Korchagin <ignat.korchagin@gmail.com>

commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream.

Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.

Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/usbip/usbip_common.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/staging/usbip/usbip_common.c
+++ b/drivers/staging/usbip/usbip_common.c
@@ -785,6 +785,17 @@ int usbip_recv_xbuff(struct usbip_device
 	if (!(size > 0))
 		return 0;

+	if (size > urb->transfer_buffer_length) {
+		/* should not happen, probably malicious packet */
+		if (ud->side == USBIP_STUB) {
+			usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
+			return 0;
+		} else {
+			usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
+			return -EPIPE;
+		}
+	}
+
 	ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
 	if (ret != size) {
 		dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);

next prev parent reply	other threads:[~2016-05-03  1:57 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-03  0:11 [PATCH 3.14 00/37] 3.14.68-stable review Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 01/37] ARM: OMAP2+: hwmod: Fix updating of sysconfig register Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 02/37] assoc_array: dont call compare_object() on a node Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 03/37] usb: xhci: fix wild pointers in xhci_mem_cleanup Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 04/37] usb: hcd: out of bounds access in for_each_companion Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 05/37] lib: lz4: fixed zram with lz4 on big endian machines Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 06/37] x86/iopl/64: Properly context-switch IOPL on Xen PV Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 07/37] futex: Acknowledge a new waiter in counter before plist Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 08/37] drm/qxl: fix cursor position with non-zero hotspot Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 09/37] crypto: ccp - Prevent information leakage on export Greg Kroah-Hartman
2016-05-03  0:11 ` [PATCH 3.14 10/37] crypto: gcm - Fix rfc4543 decryption crash Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 11/37] nl80211: check netlink protocol in socket release notification Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 12/37] Input: gtco - fix crash on detecting device without endpoints Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 13/37] pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 14/37] i2c: cpm: Fix build break due to incompatible pointer types Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 15/37] i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 16/37] EDAC: i7core, sb_edac: Dont return NOTIFY_BAD from mce_decoder callback Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 17/37] ASoC: s3c24xx: use const snd_soc_component_driver pointer Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 18/37] ASoC: rt5640: Correct the digital interface data select Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 19/37] efi: Fix out-of-bounds read in variable_matches() Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 20/37] workqueue: fix ghost PENDING flag while doing MQ IO Greg Kroah-Hartman
2016-05-03  0:12 ` Greg Kroah-Hartman [this message]
2016-05-03  0:12 ` [PATCH 3.14 22/37] paride: make verbose parameter an int again Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 23/37] fbdev: da8xx-fb: fix videomodes of lcd panels Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 24/37] misc/bmp085: Enable building as a module Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 25/37] rtc: hym8563: fix invalid year calculation Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 27/37] drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 28/37] ext4: fix NULL pointer dereference in ext4_mark_inode_dirty() Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 29/37] serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 30/37] include/linux/poison.h: fix LIST_POISON{1,2} offset Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 31/37] Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 32/37] perf stat: Document --detailed option Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 34/37] bus: imx-weim: Take the status property value into account Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 35/37] jme: Do not enable NIC WoL functions on S0 Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 36/37] jme: Fix device PM wakeup API usage Greg Kroah-Hartman
2016-05-03  0:12 ` [PATCH 3.14 37/37] sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race Greg Kroah-Hartman
2016-05-03  7:19 ` [PATCH 3.14 00/37] 3.14.68-stable review Guenter Roeck
2016-05-03 18:21   ` Greg Kroah-Hartman
2016-05-03 15:00 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160503000424.240125904@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ignat.korchagin@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paul.gortmaker@windriver.com \
    --cc=sasha.levin@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.