ACK/Cmnt: [PATCH] USB: core: prevent malicious bNumInterfaces overflow

Stefan Bader stefan.bader at canonical.com
Mon Jul 23 12:45:36 UTC 2018 

On 23.07.2018 11:40, Paolo Pisati wrote:
> From: Alan Stern <stern at rowland.harvard.edu>
> 
> A malicious USB device with crafted descriptors can cause the kernel
> to access unallocated memory by setting the bNumInterfaces value too
> high in a configuration descriptor.  Although the value is adjusted
> during parsing, this adjustment is skipped in one of the error return
> paths.
> 
> This patch prevents the problem by setting bNumInterfaces to 0
> initially.  The existing code already sets it to the proper value
> after parsing is complete.
> 
> Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
> Reported-by: Andrey Konovalov <andreyknvl at google.com>
> CC: <stable at vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>

CVE-2017-17558

> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7)
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---

As Sam already pointed out: CVE number missing.

>  drivers/usb/core/config.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 4cf67fc..b58452f 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -425,6 +425,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
>  	unsigned iad_num = 0;
>  
>  	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
> +	nintf = nintf_orig = config->desc.bNumInterfaces;
> +	config->desc.bNumInterfaces = 0;	// Adjusted later
> +
>  	if (config->desc.bDescriptorType != USB_DT_CONFIG ||
>  	    config->desc.bLength < USB_DT_CONFIG_SIZE ||
>  	    config->desc.bLength > size) {
> @@ -438,7 +441,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
>  	buffer += config->desc.bLength;
>  	size -= config->desc.bLength;
>  
> -	nintf = nintf_orig = config->desc.bNumInterfaces;
>  	if (nintf > USB_MAXINTERFACES) {
>  		dev_warn(ddev, "config %d has too many interfaces: %d, "
>  		    "using maximum allowed: %d\n",
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/2173a8a5/attachment.sig>

More information about the kernel-team mailing list