From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Hui Peng <benquike@gmail.com>,
Mathias Payer <mathias.payer@nebelwelt.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 3.18 05/12] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
Date: Wed, 26 Dec 2018 17:57:33 -0500 [thread overview]
Message-ID: <20181226225741.151608-5-sashal@kernel.org> (raw)
In-Reply-To: <20181226225741.151608-1-sashal@kernel.org>
From: Hui Peng <benquike@gmail.com>
[ Upstream commit 5146f95df782b0ac61abde36567e718692725c89 ]
The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.
Add a length check for both locations and updated hso_probe to bail on
error.
This issue has been assigned CVE-2018-19985.
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/hso.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index babda7d8693e..f040bf558430 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2814,6 +2814,12 @@ static int hso_get_config_data(struct usb_interface *interface)
return -EIO;
}
+ /* check if we have a valid interface */
+ if (if_num > 16) {
+ kfree(config_data);
+ return -EINVAL;
+ }
+
switch (config_data[if_num]) {
case 0x0:
result = 0;
@@ -2884,10 +2890,18 @@ static int hso_probe(struct usb_interface *interface,
/* Get the interface/port specification from either driver_info or from
* the device itself */
- if (id->driver_info)
+ if (id->driver_info) {
+ /* if_num is controlled by the device, driver_info is a 0 terminated
+ * array. Make sure, the access is in bounds! */
+ for (i = 0; i <= if_num; ++i)
+ if (((u32 *)(id->driver_info))[i] == 0)
+ goto exit;
port_spec = ((u32 *)(id->driver_info))[if_num];
- else
+ } else {
port_spec = hso_get_config_data(interface);
+ if (port_spec < 0)
+ goto exit;
+ }
/* Check if we need to switch to alt interfaces prior to port
* configuration */
--
2.19.1
next prev parent reply other threads:[~2018-12-26 23:22 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-26 22:57 [PATCH AUTOSEL 3.18 01/12] powerpc: Fix COFF zImage booting on old powermacs Sasha Levin
2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 02/12] checkstack.pl: fix for aarch64 Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 03/12] xfrm: Fix bucket count reported to userspace Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 04/12] Input: omap-keypad - fix idle configuration to not block SoC idle states Sasha Levin
2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` Sasha Levin [this message]
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 06/12] bnx2x: Clear fip MAC when fcoe offload support is disabled Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 07/12] w90p910_ether: remove incorrect __init annotation Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 08/12] x86/mtrr: Don't copy uninitialized gentry fields back to userspace Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 09/12] xen/netfront: tolerate frags with no data Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 10/12] vxge: ensure data0 is initialized in when fetching firmware version information Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 11/12] net: netxen: fix a missing check and an uninitialized use Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 12/12] serial/sunsu: fix refcount leak Sasha Levin
2018-12-26 22:57 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181226225741.151608-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=benquike@gmail.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.payer@nebelwelt.net \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.