diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-04-19 10:14:21 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-04-19 10:14:55 -0400 |
commit | 81f7b31b57d0522ff7ffb95f3d2621ac3ce7ab0b (patch) | |
tree | e913c4e5e53e748fca3470a5dc9dfa48cb10cf72 | |
parent | da97aab847f0c9ed9aceeb0a03d0eb234d6e5cba (diff) | |
download | kernel-81f7b31b57d0522ff7ffb95f3d2621ac3ce7ab0b.tar.gz kernel-81f7b31b57d0522ff7ffb95f3d2621ac3ce7ab0b.tar.xz kernel-81f7b31b57d0522ff7ffb95f3d2621ac3ce7ab0b.zip |
CVE-2016-3955 usbip: buffer overflow by trusting length of incoming packets (rhbz 1328478 1328479)
-rw-r--r-- | USB-usbip-fix-potential-out-of-bounds-write.patch | 45 | ||||
-rw-r--r-- | kernel.spec | 6 |
2 files changed, 51 insertions, 0 deletions
diff --git a/USB-usbip-fix-potential-out-of-bounds-write.patch b/USB-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 000000000..3d9f7c294 --- /dev/null +++ b/USB-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin <ignat.korchagin@gmail.com> +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: [PATCH] USB: usbip: fix potential out-of-bounds write + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index facaaf003f19..e40da7759a0e 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 19158e069..55a5b6fa9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -655,6 +655,9 @@ Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch # CVE-2016-3961 rhbz 1327219 1323956 Patch699: x86-xen-suppress-hugetlbfs-in-PV-guests.patch +# CVE-2016-3955 rhbz 1328478 1328479 +Patch700: USB-usbip-fix-potential-out-of-bounds-write.patch + # END OF PATCH DEFINITIONS %endif @@ -2176,6 +2179,9 @@ fi # # %changelog +* Tue Apr 19 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3955 usbip: buffer overflow by trusting length of incoming packets (rhbz 1328478 1328479) + * Fri Apr 15 2016 Josh Boyer <jwboyer@fedoraproject.org> - CVE-2016-3961 xen: hugetlbfs use may crash PV guests (rhbz 1327219 1323956) |