diff --git a/USB-usbip-fix-potential-out-of-bounds-write.patch b/USB-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 0000000..3d9f7c2 --- /dev/null +++ b/USB-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: [PATCH] USB: usbip: fix potential out-of-bounds write + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index facaaf003f19..e40da7759a0e 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index b45a843..1527565 100644 --- a/kernel.spec +++ b/kernel.spec @@ -664,6 +664,9 @@ Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch # CVE-2016-3961 rhbz 1327219 1323956 Patch699: x86-xen-suppress-hugetlbfs-in-PV-guests.patch +# CVE-2016-3955 rhbz 1328478 1328479 +Patch700: USB-usbip-fix-potential-out-of-bounds-write.patch + # END OF PATCH DEFINITIONS %endif @@ -1391,6 +1394,9 @@ ApplyPatch 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch # CVE-2016-3961 rhbz 1327219 1323956 ApplyPatch x86-xen-suppress-hugetlbfs-in-PV-guests.patch +# CVE-2016-3955 rhbz 1328478 1328479 +ApplyPatch USB-usbip-fix-potential-out-of-bounds-write.patch + # END OF PATCH APPLICATIONS %endif @@ -2240,6 +2246,9 @@ fi # # %changelog +* Tue Apr 19 2016 Josh Boyer +- CVE-2016-3955 usbip: buffer overflow by trusting length of incoming packets (rhbz 1328478 1328479) + * Fri Apr 15 2016 Josh Boyer - CVE-2016-3961 xen: hugetlbfs use may crash PV guests (rhbz 1327219 1323956)