diff options
Diffstat (limited to 'USB-usbip-fix-potential-out-of-bounds-write.patch')
-rw-r--r-- | USB-usbip-fix-potential-out-of-bounds-write.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/USB-usbip-fix-potential-out-of-bounds-write.patch b/USB-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 000000000..3d9f7c294 --- /dev/null +++ b/USB-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin <ignat.korchagin@gmail.com> +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: [PATCH] USB: usbip: fix potential out-of-bounds write + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index facaaf003f19..e40da7759a0e 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +-- +2.5.5 + |