diff --git a/USB-core-prevent-malicious-bNumInterfaces-overflow.patch b/USB-core-prevent-malicious-bNumInterfaces-overflow.patch new file mode 100644 index 0000000..d09b253 --- /dev/null +++ b/USB-core-prevent-malicious-bNumInterfaces-overflow.patch @@ -0,0 +1,48 @@ +From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 12 Dec 2017 14:25:13 -0500 +Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow + +A malicious USB device with crafted descriptors can cause the kernel +to access unallocated memory by setting the bNumInterfaces value too +high in a configuration descriptor. Although the value is adjusted +during parsing, this adjustment is skipped in one of the error return +paths. + +This patch prevents the problem by setting bNumInterfaces to 0 +initially. The existing code already sets it to the proper value +after parsing is complete. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +CC: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 55b198ba629b..78e92d29f8d9 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, + unsigned iad_num = 0; + + memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); ++ nintf = nintf_orig = config->desc.bNumInterfaces; ++ config->desc.bNumInterfaces = 0; // Adjusted later ++ + if (config->desc.bDescriptorType != USB_DT_CONFIG || + config->desc.bLength < USB_DT_CONFIG_SIZE || + config->desc.bLength > size) { +@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, + buffer += config->desc.bLength; + size -= config->desc.bLength; + +- nintf = nintf_orig = config->desc.bNumInterfaces; + if (nintf > USB_MAXINTERFACES) { + dev_warn(ddev, "config %d has too many interfaces: %d, " + "using maximum allowed: %d\n", +-- +2.14.3 + diff --git a/kernel.spec b/kernel.spec index e7fd007..765dc5b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -629,6 +629,9 @@ Patch399: arm64-thunderX-fix-ipv6-checksum-offload.patch # rbhz 1519591 1520764 Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch +# rhbz 1525474 1525476 +Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch + # 600 - Patches for improved Bay and Cherry Trail device support # Below patches are submitted upstream, awaiting review / merging Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch @@ -2207,6 +2210,9 @@ fi # # %changelog +* Wed Dec 13 2017 Jeremy Cline +- Fix CVE-2017-17558 (rhbz 1525474 1525476) + * Tue Dec 12 2017 Jeremy Cline - Fix CVE-2017-8824 (rhbz 1519591 1520764)