CVE-2016-3955 usbip: buffer overflow by trusting length of incoming packets (rhbz 1328478 1328479)

2 files changed, 51 insertions, 0 deletions

diff --git a/USB-usbip-fix-potential-out-of-bounds-write.patch b/USB-usbip-fix-potential-out-of-bounds-write.patch
new file mode 100644
index 000000000..3d9f7c294
--- /dev/null
+++ b/USB-usbip-fix-potential-out-of-bounds-write.patch
@@ -0,0 +1,45 @@
+From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001
+From: Ignat Korchagin <ignat.korchagin@gmail.com>
+Date: Thu, 17 Mar 2016 18:00:29 +0000
+Subject: [PATCH] USB: usbip: fix potential out-of-bounds write
+
+Fix potential out-of-bounds write to urb->transfer_buffer
+usbip handles network communication directly in the kernel. When receiving a
+packet from its peer, usbip code parses headers according to protocol. As
+part of this parsing urb->actual_length is filled. Since the input for
+urb->actual_length comes from the network, it should be treated as untrusted.
+Any entity controlling the network may put any value in the input and the
+preallocated urb->transfer_buffer may not be large enough to hold the data.
+Thus, the malicious entity is able to write arbitrary data to kernel memory.
+
+Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/usbip_common.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
+index facaaf003f19..e40da7759a0e 100644
+--- a/drivers/usb/usbip/usbip_common.c
++++ b/drivers/usb/usbip/usbip_common.c
+@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb)
+ 	if (!(size > 0))
+ 		return 0;
+ 
++	if (size > urb->transfer_buffer_length) {
++		/* should not happen, probably malicious packet */
++		if (ud->side == USBIP_STUB) {
++			usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
++			return 0;
++		} else {
++			usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
++			return -EPIPE;
++		}
++	}
++
+ 	ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
+ 	if (ret != size) {
+ 		dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index 19158e069..55a5b6fa9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -655,6 +655,9 @@ Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch
 # CVE-2016-3961 rhbz 1327219 1323956
 Patch699: x86-xen-suppress-hugetlbfs-in-PV-guests.patch
 
+# CVE-2016-3955 rhbz 1328478 1328479
+Patch700: USB-usbip-fix-potential-out-of-bounds-write.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2176,6 +2179,9 @@ fi
 #
 # 
 %changelog
+* Tue Apr 19 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3955 usbip: buffer overflow by trusting length of incoming packets  (rhbz 1328478 1328479)
+
 * Fri Apr 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-3961 xen: hugetlbfs use may crash PV guests (rhbz 1327219 1323956)