[v2] USB: hso: Fix OOB memory access in hso_probe/hso_get_config

linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [v2] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
@ 2018-12-10  8:04 Greg Kroah-Hartman
  0 siblings, 0 replies; 3+ messages in thread
From: Greg Kroah-Hartman @ 2018-12-10  8:04 UTC (permalink / raw)
  To: David S. Miller, netdev
  Cc: linux-usb, Sebastian Andrzej Siewior, Hui Peng, Mathias Payer

From: Hui Peng <benquike@gmail.com>

The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data. Added a length check for both locations
and updated hso_probe to bail on error.

This issue has been assigned CVE-2018-19985.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
v2: fixed error check to just be < 0
    Added CVE to changelog text

 drivers/net/usb/hso.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 184c24baca15..d6916f787fce 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
 		return -EIO;
 	}
 
+	/* check if we have a valid interface */
+	if (if_num > 16) {
+		kfree(config_data);
+		return -EINVAL;
+	}
+
 	switch (config_data[if_num]) {
 	case 0x0:
 		result = 0;
@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
 
 	/* Get the interface/port specification from either driver_info or from
 	 * the device itself */
-	if (id->driver_info)
+	if (id->driver_info) {
+		/* if_num is controlled by the device, driver_info is a 0 terminated
+		 * array. Make sure, the access is in bounds! */
+		for (i = 0; i <= if_num; ++i)
+			if (((u32 *)(id->driver_info))[i] == 0)
+				goto exit;
 		port_spec = ((u32 *)(id->driver_info))[if_num];
-	else
+	} else {
 		port_spec = hso_get_config_data(interface);
+		if (port_spec < 0)
+			goto exit;
+	}
 
 	/* Check if we need to switch to alt interfaces prior to port
 	 * configuration */

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [v2] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
@ 2018-12-10 12:50 Sebastian Andrzej Siewior
  0 siblings, 0 replies; 3+ messages in thread
From: Sebastian Andrzej Siewior @ 2018-12-10 12:50 UTC (permalink / raw)
  To: Greg KH; +Cc: David S. Miller, netdev, linux-usb, Hui Peng, Mathias Payer

On 2018-12-10 09:04:43 [+0100], Greg KH wrote:
> From: Hui Peng <benquike@gmail.com>
> 
> The function hso_probe reads if_num from the USB device (as an u8) and uses
> it without a length check to index an array, resulting in an OOB memory read
> in hso_probe or hso_get_config_data. Added a length check for both locations
> and updated hso_probe to bail on error.

The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.

Add a length check for both locations and update hso_probe to bail on
error.

> This issue has been assigned CVE-2018-19985.
>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Hui Peng <benquike@gmail.com>
> Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

Sebastian

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [v2] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
@ 2018-12-12 11:40 Greg Kroah-Hartman
  0 siblings, 0 replies; 3+ messages in thread
From: Greg Kroah-Hartman @ 2018-12-12 11:40 UTC (permalink / raw)
  To: Sebastian Andrzej Siewior
  Cc: David S. Miller, netdev, linux-usb, Hui Peng, Mathias Payer

On Mon, Dec 10, 2018 at 01:50:20PM +0100, Sebastian Andrzej Siewior wrote:
> On 2018-12-10 09:04:43 [+0100], Greg KH wrote:
> > From: Hui Peng <benquike@gmail.com>
> > 
> > The function hso_probe reads if_num from the USB device (as an u8) and uses
> > it without a length check to index an array, resulting in an OOB memory read
> > in hso_probe or hso_get_config_data. Added a length check for both locations
> > and updated hso_probe to bail on error.
> 
> The function hso_probe reads if_num from the USB device (as an u8) and uses
> it without a length check to index an array, resulting in an OOB memory read
> in hso_probe or hso_get_config_data.
> 
> Add a length check for both locations and update hso_probe to bail on
> error.
> 
> > This issue has been assigned CVE-2018-19985.
> >
> > Reported-by: Hui Peng <benquike@gmail.com>
> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> > Signed-off-by: Hui Peng <benquike@gmail.com>
> > Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

Thanks, will update the changelog and add resend.

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-12-12 11:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-10  8:04 [v2] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Greg Kroah-Hartman
  -- strict thread matches above, loose matches on Subject: below --
2018-12-10 12:50 Sebastian Andrzej Siewior
2018-12-12 11:40 Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).